New Supermarket Announcements!

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the supermarket mailing list.

Select Supported Platforms


docker (154) Versions 2.2.9

Provides docker_service, docker_image, and docker_container resources

cookbook 'docker', '~> 2.2.9'
cookbook 'docker', '~> 2.2.9'
knife cookbook site install docker
knife cookbook site download docker

Docker Cookbook

Build Status Gitter

The Docker Cookbook is a library cookbook that provides resources (LWRPs) for use in recipes.


This cookbook is concerned with the Docker container engine as distributed by Docker, Inc. It does not address Docker ecosystem tooling or prerequisite technology such as cgroups or aufs.


  • Chef 12.0.0 or higher. Chef 11 is NOT SUPPORTED, please do not open issues about it.
  • Ruby 2.1 or higher (preferably, the Chef full-stack installer)
  • Network accessible web server hosting the docker binary.
  • SELinux permissive/disabled if CentOS Docker Issue #15498

Platform Support

The following platforms have been tested with Test Kitchen: You may be able to get it working on other platforms, with appropriate configuration of cgroups and storage back ends.

|              | 1.7.1 | 1.8.2 | 1.9.0 |
| debian-8     | X     | X     | X     |
| centos-7     | X     | X     | X     |
| fedora-21    | X     | X     | X     |
| ubuntu-12.04 | X     | X     | X     |
| ubuntu-14.04 | X     | X     | X     |
| ubuntu-15.04 | X     | X     | X     |

Cookbook Dependencies


  • Add depends 'docker', '~> 2.0' to your cookbook's metadata.rb
  • Use resources shipped in cookbook in a recipe, the same way you'd use core Chef resources (file, template, directory, package, etc).
docker_service 'default' do
  action [:create, :start]

docker_image 'busybox' do
  action :pull

docker_container 'an echo server' do
  repo 'busybox'
  port '1234:1234'
  command "nc -ll -p 1234 -e /bin/cat"

Test Cookbooks as Examples

The cookbooks ran under test-kitchen make excellent usage examples.

The test recipes are found at: ruby test/cookbooks/docker_test/

Cgroups, Execution and Storage drivers

Beginning in chef-docker 1.0, support for LXC execution driver has been removed in favor of native. Cgroups and storage drivers are now loosely coupled dependencies and should be configured using other cookbooks if needed.

Storage drivers can be selected with the storage_driver property on the docker_service resource like this:

docker_service 'default' do
   storage_driver 'overlay'

Configuration of the backing storage driver, including kernel module loading, is out of scope for this cookbook.

Resources Overview

  • docker_installation_binary: copies a pre-compiled docker binary onto disk
  • docker_installation_script: curl | bash
  • docker_installation_package: package 'docker-engine'
  • docker_installation: automatically select a resource
  • docker_service_manager_execute: manage docker daemon with Chef
  • docker_service_manager_sysvinit: manage docker daemon with a sysvinit script
  • docker_service_manager_upstart: manage docker daemon with upstart script
  • docker_service_manager_systemd: manage docker daemon with systemd unit files
  • docker_service_manager: automatically select a resource
  • docker_service: composite resource that uses docker_installation and docker_service_manager
  • docker_image: image/repository operations
  • docker_container: container operations
  • docker_tag: image tagging operations
  • docker_registry: registry operations

Getting Started

Here's a quick example of pulling the latest image and running a container with exposed ports.

# Pull latest image
docker_image 'nginx' do
  tag 'latest'
  action :pull
  notifies :redeploy, 'docker_container[my_nginx]'

# Run container exposing ports
docker_container 'my_nginx' do
  repo 'nginx'
  tag 'latest'
  port '80:80'
  host_name 'www'
  domain_name ''
  env 'FOO=bar'
  binds [ '/some/local/files/:/etc/nginx/conf.d' ]

You might run a private registry and multiple Docker hosts.

# Login to private registry
docker_registry '' do
  username 'shipper'
  password 'iloveshipping'
  email ''

# Pull tagged image
docker_image '' do
  tag 'latest'
  action :pull
  host 'tcp://'

# Run container
docker_container 'crowsnest' do
  repo ''
  tag 'latest'
  host 'tcp://'
  tls_verify true
  tls_ca_cert "/path/to/ca.pem"
  tls_client_cert "/path/to/cert.pem"
  tls_client_key "/path/to/key.pem"
  action :run

See full documentation for each resource and action below for more information.

Resources Details


The docker_installation resource auto-selects one of the below resources with the provider resolution system.


docker_installation 'default' do
  repo 'test'
  action :create


The docker_installation_binary resource copies the precompiled Go binary onto the disk. It exists to help run older Docker versions. It should not be used in production, especially with devicemapper.


docker_installation_binary 'default' do
  version '1.8.2'
  source ''
  checksum '97a3f5924b0b831a310efa8bf0a4c91956cd6387c4a8667d27e2b2dd3da67e4d'
  action :create


  • version - The desired version of docker. Used to calculate source.
  • source - Path to network accessible Docker binary. Ignores version
  • checksum - SHA-256


The docker_installation_script resource runs the script hosted by Docker, Inc at It configures package repositories and installs a dynamically compiled binary.


docker_installation_script 'default' do
  repo 'main'
  script_url ''
  action :create


  • repo - One of 'main', 'test', or 'experimental'. Used to calculate script_url in its absense. Defaults to 'main'
  • script_url - 'URL of script to pipe into /bin/sh as root.


The docker_installation_package resource uses the system package manager to install Docker. It relies on the pre-configuration of the system's package repositories. The excellent yum-docker and apt-docker Supermarket cookbooks are used to do this in test-kitchen.

This is the recommended production installation method.


docker_installation_package 'default' do
  version '1.8.3'
  action :create


  • version - Used to calculate package_version string
  • package_version - Manually specify the package version string
  • package_name - Name of package to install. Defaults to 'docker-engine'


The docker_service_manager resource auto-selects one of the below resources with the provider resolution system. The docker_service family all share a common set of properties, which are listed under the docker_service composite resource.


docker_service_manager 'default' do
  action :start



docker_service_manager_execute 'default' do
  action :start



docker_service_manager_sysvinit 'default' do
  host 'unix:///var/run/docker.sock'
  action :stop



docker_service_manager_upstart 'default' do
  host ['unix:///var/run/docker.sock', 'tcp://']
  action :start



docker_service_manager_systemd 'default' do
  host ['unix:///var/run/docker.sock', 'tcp://']
  tls_verify true
  tls_ca_cert "/path/to/ca.pem"
  tls_server_cert "/path/to/server.pem"
  tls_server_key "/path/to/server-key.pem"
  tls_client_cert "/path/to/cert.pem"
  tls_client_key "/path/to/key.pem"
  action :start


The docker_service: resource is a composite resource that uses docker_installation and docker_service_manager resources.

  • The :create action uses a docker_installation
  • The :delete action uses a docker_installation
  • The :start action uses a docker_service_manager
  • The :stop action uses a docker_service_manager

The service management strategy for the host platform is dynamically chosen based on platform, but can be overridden.


docker_service 'tls_test:2376' do
  host [ "tcp://#{node['ipaddress']}:2376", 'unix:///var/run/docker.sock' ]
  tls_verify true
  tls_ca_cert '/path/to/ca.pem'
  tls_server_cert '/path/to/server.pem'
  tls_server_key '/path/to/server-key.pem'
  tls_client_cert '/path/to/client.pem'
  tls_client_key '/path/to/client-key.pem'
  action [:create, :start]

WARNING - As of the 1.0 version of this cookbook, docker_service is a singleton resource. This means that if you create multiple docker_service resources on the same machine, you will only create one actual service and things may not work as expected.


The docker_service resource property list mostly corresponds to the options found in the Docker Command Line Reference

  • source - URL to the pre-compiled Docker binary used for installation. Defaults to a calculated URL based on kernel version, Docker version, and platform arch. By default, this will try to get to "".
  • version - Docker version to install
  • checksum - sha256 checksum of Docker binary
  • instance - Identity for docker_service resource. Defaults to name. Mostly unimportant for the 1.0 version because of its singleton status. | String | nil
  • api_cors_header - Set CORS headers in the remote API
  • bridge - Attach containers to a network bridge
  • bip - Specify network bridge IP
  • debug - Enable debug mode
  • cluster_store - Cluster store to use
  • cluster_advertise - Ip and port that this daemon should advertise to the cluster
  • cluster_store_opts - Cluster store options
  • daemon - Enable daemon mode
  • dns - DNS server(s) to use
  • dns_search - DNS search domains to use
  • exec_driver - Exec driver to use
  • fixed_cidr - IPv4 subnet for fixed IPs
  • fixed_cidr_v6 - IPv6 subnet for fixed IPs
  • group - Posix group for the unix socket
  • graph - Root of the Docker runtime - Effectively, the "data directory"
  • host - Daemon socket(s) to connect to - tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd
  • icc - Enable inter-container communication
  • ip - Default IP when binding container ports
  • ip_forward - Enable ip forwarding
  • ipv4_forward - Enable net.ipv4.ip_forward
  • ipv6_forward - Enable net.ipv6.ip_forward
  • ip_masq - Enable IP masquerading
  • iptables - Enable addition of iptables rules
  • ipv6 - Enable IPv6 networking
  • log_level - Set the logging level
  • labels A string or array to set metadata on the daemon in the form ['foo:bar', 'hello:world']`
  • log_driver - Container's logging driver (json-file/syslog/journald/gelf/fluentd/none)
  • log_opts - Container's logging driver options (driver-specific)
  • mtu - Set the containers network MTU
  • pidfile - Path to use for daemon PID file
  • registry_mirror - Preferred Docker registry mirror
  • storage_driver - Storage driver to use
  • selinux_enabled - Enable selinux support
  • storage_opts - Set storage driver options
  • tls - Use TLS; implied by --tlsverify. Defaults to ENV['DOCKER_TLS'] if set
  • tls_verify - Use TLS and verify the remote. Defaults to ENV['DOCKER_TLS_VERIFY'] if set
  • tls_ca_cert - Trust certs signed only by this CA. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_server_cert - Path to TLS certificate file for docker service
  • tls_server_key - Path to TLS key file for docker service
  • tls_client_cert - Path to TLS certificate file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_client_key - Path to TLS key file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • default_ulimit - Set default ulimit settings for containers
  • http_proxy - ENV variable set before for Docker daemon starts
  • https_proxy - ENV variable set before for Docker daemon starts
  • no_proxy - ENV variable set before for Docker daemon starts
  • tmpdir - ENV variable set before for Docker daemon starts
  • logfile - Location of Docker daemon log file
  • userland_proxy- Enables or disables docker-proxy


  • :create - Lays the Docker bits out on disk
  • :delete - Removes the Docker bits from the disk
  • :start - Makes sure the service provider is set up properly and start it
  • :stop - Stops the service
  • :restart - Restarts the service

docker_service implementations

  • docker_service_execute - The simplest docker_service. Just starts a process. Fire and forget.

  • docker_service_sysvinit - Uses a SystemV init script to manage the service state.

  • docker_service_upstart - Uses an Upstart script to manage the service state.

  • docker_service_systemd - Uses an Systemd unit file to manage the service state. NOTE: This does NOT enable systemd socket activation.


The docker_image is responsible for managing Docker image pulls, builds, and deletions. It speaks directly to the Docker remote API.


  • default action, default properties ruby docker_image 'hello-world'

  • non-default name attribute ruby docker_image "Tom's container" do repo 'tduffield/testcontainerd' action :pull end

  • pull every time ruby docker_image 'busybox' do action :pull end

  • specify a tag ruby docker_image 'alpine' do tag '3.1' end

  • specify read/write timeouts ruby docker_image 'alpine' do read_timeout 60 write_timeout 60 end

docker_image 'vbatts/slackware' do
  action :remove
  • save ruby docker_image 'save hello-world' do repo 'hello-world' destination '/tmp/hello-world.tar' not_if { ::File.exist? '/tmp/hello-world.tar' } action :save end

  • build from a Dockerfile on every chef-client run ruby docker_image 'image_1' do tag 'v0.1.0' source '/src/myproject/container1/Dockerfile' action :build end

  • build from a directory, only if image is missing ruby docker_image 'image_2' do tag 'v0.1.0' source '/src/myproject/container2' action :build_if_missing end

  • build from a tarball NOTE: this is not an "export" tarball generated from an an image save. The contents should be a Dockerfile, and anything it references to COPY or ADD

docker_image 'image_3' do
  tag 'v0.1.0'
  source '/tmp/image_3.tar'
  action :build
docker_image 'hello-again' do
  tag 'v0.1.0'
  source '/tmp/hello-world.tar'
  action :import
  • push ruby docker_image '' do action :push end

  • Connect to an external docker daemon and pull an image

docker_image 'alpine' do
  host 'tcp://'
  tag '2.7'


The docker_image resource properties mostly corresponds to the Docker Remote API as driven by the Swipley docker-api Ruby gem

A docker_image's full identifier is a string in the form "<repo>:<tag>". There is some nuance around the naming when the public registry vs a private one.

  • repo - aka image_name - The first half of a Docker image's identity. This is a string in the form: registry:port/owner/image_name. If the registry:port portion is left off, Docker will implicitly use the Docker public registry. "Official Images" omit the owner part. This means a repo id can look as short as busybox, alpine, or centos, to refer to official images on the public registry, and as long as to refer to custom images on an private registry. Often you'll see something like someara/chef to refer to private images on the public registry. - Defaults to resource name.
  • tag - The second half of a Docker image's identity. - Defaults to latest
  • source - Path to input for the :import, :build and :build_if_missing actions. For building, this can be a Dockerfile, a tarball containing a Dockerfile in its root, or a directory containing a Dockerfile. For import, this should be a tarball containing Docker formatted image, as generated with :save.
  • destination - Path for output from the :save action.
  • force - A force boolean used in various actions - Defaults to false
  • nocache - Used in :build operations. - Defaults to false
  • noprune - Used in :remove operations - Defaults to false
  • rm - Remove intermediate containers after a successful build (default behavior) - Defaults to true
  • read_timeout - May need to increase for long image builds/pulls
  • write_timeout - May need to increase for long image builds/pulls
  • host - A string containing the host the API should communicate with. Defaults to ENV['DOCKER_HOST'] if set
  • tls - Use TLS; implied by --tlsverify. Defaults to ENV['DOCKER_TLS'] if set
  • tls_verify - Use TLS and verify the remote. Defaults to ENV['DOCKER_TLS_VERIFY'] if set
  • tls_ca_cert - Trust certs signed only by this CA. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_client_cert - Path to TLS certificate file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_client_key - Path to TLS key file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set


The following actions are available for a docker_image resource. Defaults to pull_if_missing

  • :pull - Pulls an image from the registry
  • :pull_if_missing - Pulls an image from the registry, only if it missing
  • :build - Builds an image from a Dockerfile, directory, or tarball
  • :build_if_missing - Same build, but only if it is missing
  • :save - Exports an image to a tarball at destination
  • :import - Imports an image from a tarball at destination
  • :remove - Removes (untags) an image
  • :push - Pushes an image to the registry


Docker tags work very much like hard links in a Unix filesystem. They are just references to an existing image. Therefore, the docker_tag resource has taken inspiration from the Chef link resource.


docker_tag 'private repo tag for hello-again:1.0.1' do
  target_repo 'hello-again'
  target_tag 'v0.1.0'
  to_repo 'localhost:5043/someara/hello-again'
  to_tag 'latest'
  action :tag


  • target_repo - The repo half of the source image identifier.
  • target_tag - The tag half of the source image identifier.
  • to_repo - The repo half of the new image identifier
  • to_tag- The tag half of the new image identifier


  • :tag - Tags the image


The docker_container is responsible for managing Docker container actions. It speaks directly to the Docker remote API.

Containers are process oriented, and move through an event cycle. Thanks to Glider Labs for this excellent diagram. alt tag


  • Create a container without starting it.
docker_container 'hello-world' do
  command '/hello'
  action :create
  • This command will exit succesfully. This will happen on every chef-client run.
docker_container 'busybox_ls' do
  repo 'busybox'
  command 'ls -la /'
  action :run
  • The :run_if_missing action will only run once. It is the default action.
docker_container 'alpine_ls' do
  repo 'alpine'
  tag '3.1'
  command 'ls -la /'
  action :run_if_missing
  • Set environment variables in a container
docker_container 'env' do
  repo 'debian'
  env ['PATH=/usr/bin', 'FOO=bar']
  command 'env'
  action :run_if_missing
  • This process remains running between chef-client runs, :run will do nothing on subsequent converges.
docker_container 'an_echo_server' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ll -p 7 -e /bin/cat'
  port '7:7'
  action :run
  • Let docker pick the host port
docker_container 'another_echo_server' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ll -p 7 -e /bin/cat'
  port '7'
  action :run
  • Specify the udp protocol
docker_container 'an_udp_echo_server' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ul -p 7 -e /bin/cat'
  port '5007:7/udp'
  action :run
  • Kill a container
docker_container 'bill' do
  action :kill
  • Stop a container
docker_container 'hammer_time' do
  action :stop
  • Force-stop a container after 30 seconds
docker_container 'hammer_time' do
  kill_after 30
  action :stop
  • Pause a container
docker_container 'red_light' do
  action :pause
  • Unpause a container
docker_container 'green_light' do
  action :unpause
  • Restart a container
docker_container 'restarter' do
  action :restart
  • Delete a container
docker_container 'deleteme' do
  remove_volumes true
  action :delete
  • Redeploy a container
docker_container 'redeployer' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ll -p 7777 -e /bin/cat'
  port '7'
  action :run

execute 'redeploy redeployer' do
  notifies :redeploy, 'docker_container[redeployer]', :immediately
  action :run
  • Bind mount local directories
docker_container 'bind_mounter' do
  repo 'busybox'
  command 'ls -la /bits /more-bits'
  binds ['/hostbits:/bits', '/more-hostbits:/more-bits']
  action :run_if_missing
  • Mount volumes from another container
docker_container 'chef_container' do
  command 'true'
  volumes '/opt/chef'
  action :create

docker_container 'ohai_debian' do
  command '/opt/chef/embedded/bin/ohai platform'
  repo 'debian'
  volumes_from 'chef_container'
  • Set a container's entrypoint
docker_container 'ohai_again_debian' do
  repo 'debian'
  volumes_from 'chef_container'
  entrypoint '/opt/chef/embedded/bin/ohai'
  command 'platform'
  action :run_if_missing
  • Automatically remove a container after it exits
docker_container 'sean_was_here' do
  command "touch /opt/chef/sean_was_here-#{'%Y%m%d%H%M')}"
  repo 'debian'
  volumes_from 'chef_container'
  autoremove true
  action :run
  • Grant NET_ADMIN rights to a container
docker_container 'cap_add_net_admin' do
  repo 'debian'
  command 'bash -c "ip addr add brd + dev eth0 label eth0:0 ; ip addr list"'
  cap_add 'NET_ADMIN'
  action :run_if_missing
  • Revoke MKNOD rights to a container ruby docker_container 'cap_drop_mknod' do repo 'debian' command 'bash -c "mknod -m 444 /dev/urandom2 c 1 9 ; ls -la /dev/urandom2"' cap_drop 'MKNOD' action :run_if_missing end

  • Set a container's hostname and domainname

docker_container 'fqdn' do
  repo 'debian'
  command 'hostname -f'
  host_name 'computers'
  domain_name 'biz'
  action :run_if_missing
  • Set a container's DNS resolution
docker_container 'dns' do
  repo 'debian'
  command 'cat /etc/resolv.conf'
  host_name 'computers'
  dns ['', '']
  dns_search ['', '']
  action :run_if_missing
  • Add extra hosts to a container's /etc/hosts
docker_container 'extra_hosts' do
  repo 'debian'
  command 'cat /etc/hosts'
  extra_hosts ['east:', 'west:']
  action :run_if_missing
  • Manage container's restart_policy
docker_container 'try_try_again' do
  repo 'alpine'
  tag '3.1'
  command 'grep asdasdasd /etc/passwd'
  restart_policy 'on-failure'
  restart_maximum_retry_count 2
  action :run_if_missing

docker_container 'reboot_survivor' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ll -p 123 -e /bin/cat'
  port '123'
  restart_policy 'always'
  action :run_if_missing
  • Manage container links
docker_container 'link_source' do
  repo 'alpine'
  tag '3.1'
  env ['FOO=bar', 'BIZ=baz']
  command 'nc -ll -p 321 -e /bin/cat'
  port '321'
  action :run_if_missing

docker_container 'link_target_1' do
  repo 'alpine'
  tag '3.1'
  env ['ASD=asd']
  command 'ping -c 1 hello'
  links ['link_source:hello']
  action :run_if_missing

docker_container 'link_target_2' do
  repo 'alpine'
  tag '3.1'
  command 'env'
  links ['link_source:hello']
  action :run_if_missing

execute 'redeploy_link_source' do
  command 'touch /marker_container_redeploy_link_source'
  creates '/marker_container_redeploy_link_source'
  notifies :redeploy, 'docker_container[link_source]', :immediately
  notifies :redeploy, 'docker_container[link_target_1]', :immediately
  notifies :redeploy, 'docker_container[link_target_2]', :immediately
  action :run
  • Mutate a container between chef-client runs
docker_tag 'mutator_from_busybox' do
  target_repo 'busybox'
  target_tag 'latest'
  to_repo 'someara/mutator'
  target_tag 'latest'

docker_container 'mutator' do
  repo 'someara/mutator'
  tag 'latest'
  command "sh -c 'touch /mutator-`date +\"%Y-%m-%d_%H-%M-%S\"`'"
  outfile '/mutator.tar'
  force true
  action :run_if_missing

execute 'commit mutator' do
  command 'true'
  notifies :commit, 'docker_container[mutator]', :immediately
  notifies :export, 'docker_container[mutator]', :immediately
  notifies :redeploy, 'docker_container[mutator]', :immediately
  action :run
  • Specify read/write timeouts
docker_container 'api_timeouts' do
  repo 'alpine'
  read_timeout 60
  write_timeout 60
  • Specify a custom logging driver and its options
docker_container 'syslogger' do
  repo 'alpine'
  tag '3.1'
  command 'nc -ll -p 780 -e /bin/cat'
  log_driver 'syslog'
  log_opts 'syslog-tag=container-syslogger'
  • Connect to an external docker daemon and create a container
docker_container 'external_daemon' do
  repo 'alpine'
  host 'tcp://'
  action :create


Most docker_container properties are the snake_case version of the CamelCase keys found in the Docker Remote Api

  • container_name - The name of the container. Defaults to the name of the docker_container resource.
  • repo - aka image_name. The first half of a the complete identifier for a Docker Image.
  • tag - The second half of a Docker image's identity. - Defaults to latest.
  • command - The command to run when starting the container.
  • autoremove - Boolean - Automatically delete a container when it's command exits. Defaults to false.
  • binds - An array of : separated paths to bind mount from the host into the container in the form ['/host-bits:/container-bits', '/more-host-bits:/more-container-bits']. Defaults to nil.
  • cap_add - An array Linux Capabilities (man 7 capabilities) to add to grant the container beyond what it normally gets.
  • cap_drop - An array Linux Capabilities (man 7 capabilities) to revoke that the container normally has.
  • cpu_shares - An integer value containing the CPU Shares for the container.
  • devices - A Hash of devices to add to the container.
  • dns - An array of DNS servers the container will use for name resolution.
  • dns_search - An array of domains the container will search for name resolution.
  • domain_name - Set's the container's dnsdomainname as returned by the dnsdomainname command.
  • entry_point - Set the entry point for the container as a string or an array of strings.
  • env - Set environment variables in the container in the form ['FOO=bar', 'BIZ=baz']
  • extra_hosts - An array of hosts to add to the container's /etc/hosts in the form ['host_a:', 'host_b:']
  • force - A boolean to use in container operations that support a force option. Defaults to false
  • host - A string containing the host the API should communicate with. Defaults to ENV['DOCKER_HOST'] if set
  • host_name - The hostname for the container.
  • labels A string, array, or hash to set metadata on the container in the form ['foo:bar', 'hello:world']`
  • links - An array of source container/alias pairs to link the container to in the form [container_a:www', container_b:db']
  • log_driver - Sets a custom logging driver for the container (json-file/syslog/journald/gelf/fluentd/none).
  • log_opts - Configures the above logging driver options (driver-specific).
  • mac_address - The mac address for the container to use.
  • memory - Memory limit in bytes.
  • memory_swap - Total memory limit (memory + swap); set -1 to disable swap. You must use this with memory and make the swap value larger than memory.
  • network_disabled - Boolean to disable networking. Defaults to false.
  • network_mode - Sets the networking mode for the container.
  • open_stdin - Boolean value, opens stdin. Defaults to false.
  • outfile - The path to write the file when using :export action.
  • port - The port configuration to use in the container. Matches the syntax used by the docker CLI tool.
  • privileged - Boolean to start the container in privileged more. Defaults to false
  • publish_all_ports - Allocates a random host port for all of a container’s exposed ports.
  • remove_volumes - A boolean to clean up "dangling" volumes when removing the last container with a reference to it. Default to false to match the Docker CLI behavior.
  • restart_policy - One of no, on-failure, or always. Use always if you want a service container to survive a Dockerhost reboot. Defaults to no.
  • restart_maximum_retry_count - Maximum number of restarts to try when restart_policy is on-failure. Defaults to an ever increasing delay (double the previous delay, starting at 100mS), to prevent flooding the server.
  • security_opts - A list of string values to customize labels for MLS systems, such as SELinux.
  • signal - The signal to send when using the :kill action. Defaults to SIGKILL.
  • tty - Boolean value to allocate a pseudo-TTY. Defaults to false.
  • user - A string value specifying the user inside the container.
  • volumes - An Array of paths inside the container to expose. Does the same thing as the VOLUME directive in a Dockerfile, but works on container creation.
  • volumes_from - A list of volumes to inherit from another container. Specified in the form <container name>[:<ro|rw>]
  • working_dir - A string specifying the working directory for commands to run in.
  • read_timeout - May need to increase for commits or exports that are slow
  • write_timeout - May need to increase for commits or exports that are slow
  • kill_after - Number of seconds to wait before killing the container. Defaults to wait indefinitely; eventually will hit read_timeout limit.
  • tls - Use TLS; implied by --tlsverify. Defaults to ENV['DOCKER_TLS'] if set
  • tls_verify - Use TLS and verify the remote. Defaults to ENV['DOCKER_TLS_VERIFY'] if set
  • tls_ca_cert - Trust certs signed only by this CA. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_client_cert - Path to TLS certificate file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set
  • tls_client_key - Path to TLS key file for docker cli. Defaults to ENV['DOCKER_CERT_PATH'] if set


  • :create - Creates the container but does not start it. Useful for Volume containers.
  • :start - Starts the container. Useful for containers that run jobs.. command that exit.
  • :run - The default action. Both :create and :start the container in one action. Redeploys the container on resource change.
  • :run_if_missing - Runs a container only once.
  • :stop - Stops the container.
  • :restart - Stops the starts the container.
  • :kill - Send a signal to the container process. Defaults to SIGKILL.
  • :pause - Pauses the container.
  • :unpause - Unpauses the container.
  • :delete - Deletes the container.
  • :redeploy - Deletes and runs the container.


The docker_registry resource is responsible for managing the connection auth information to a Docker registry.

docker_registry action :login

  • Log into or register with public registry:
docker_registry '' do
  username 'publicme'
  password 'hope_this_is_in_encrypted_databag'
  email ''

Log into private registry with optional port:

docker_registry 'my local registry' do
   serveraddress ''
   username 'privateme'
   password 'still_hope_this_is_in_encrypted_databag'

Testing and Development

  • Full development and testing workflow with Test Kitchen and friends:


Please see contributing information in:



Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Dependent cookbooks

compat_resource >= 12.5.14

Contingent cookbooks

amazon-ecs-agent Applicable Versions
cadvisor Applicable Versions
corbel Applicable Versions
deis Applicable Versions
docker-docker-registry Applicable Versions
docker-mms Applicable Versions
docker-mongodb Applicable Versions
docker-mongodb-replset-configurator Applicable Versions
docker-nginx Applicable Versions
docker-nodejs Applicable Versions
docker-pm2 Applicable Versions
docker-python Applicable Versions
docker-redis Applicable Versions
docker2host Applicable Versions
docker_rancher Applicable Versions
docker_registry Applicable Versions
dokku Applicable Versions
drone Applicable Versions
kubernetes Applicable Versions
kubernetes-mesos Applicable Versions
mesos Applicable Versions
netdevops Applicable Versions
rancher Applicable Versions
singularity Applicable Versions


  • #560 - Add cluster-store options to docker daemon


  • #559 - setting tls and tls_verify should to nil by default


  • Supporting Docker ENV variables without explicitly setting per-resource host TLS information
  • Serverspec -> inspec fixes


  • Docker 1.9 support
  • Updates to pull_image id checking
  • Updates default_network_mode calculation


  • Updating metadata to depend on compat_resource >= 12.5.14


  • More minor fixes to Upstart script template


  • Minor fix to Upstart script template


  • Upstart script now waits for all filesystems instead of just local-filesystems


  • marking attach_ properties desired_state: false


  • Switching docker_installation method to auto
  • Cleaning up some old Chef::Provider namespace cruft


  • Adding docker_service auto_restart property. Defaulting to false.


  • Updating README with docker_installation and docker_service_manager resources
  • Adding "desired_state: false" to docker_installation properties


  • Refactoring docker_service into docker_service_manager_whatever
  • Fixing bug in coerce_daemon_labels
  • Fixes to resources-171 suite serverspec


  • Fixing docker_installation_script resource


  • Various cruft cleanup in service templates.
  • Explicitly enabling ipv4 forwarding in execute provider
  • docker_service_sysvinit test suite
  • docker_service_upstart test suite
  • docker_service_systemd test suite


  • Kitchen refactoring
  • docker_service_execute bug fixes


  • Fixing merge meant for v2.1.16


  • Adding install_method property to select docker_installation resource
  • Using docker_installation_binary by default
  • Fixing up serverspec for pre-182 resource test recipes


  • Updates to README around kill_after property on :stop action
  • Updates to various test containers to handle SIGKILL properly


  • Fixing missing property regression in docker_service


  • Fixing up independent of docker_installation_binary resource, adding kitchen suites and serverspec tests


  • #531 - Bugfix for invalid parameters in docker_container :stop action


  • Fixing LocalJumpError in docker_container


  • Adding 'desired_state: false' to various timeouts


  • Refactoring: Moving remote file installation method into docker_installation_binary resource


  • Refactoring: Removing classes from the Chef::Resource namespace


  • Fixing connection information in docker_container and helpers_base
  • Refactoring .kitchen.yml tests


  • Enabling TLS options for docker_container and docker_image
  • Various test fixes


  • #528 - Don't enable https connection scheme if not using TLS


  • #517 - Disallowing nil value for Docker command


  • #514 - Fixing coerce and comparison logic in exposed_ports and volumes to prevent unwanted restarts


  • Adding why_run support


  • #511 - fix container wait state checking
  • #512 - wait for registry ports to be open in test recipe
  • #519 - updating README to include labels#511 - fix container


  • Changing docker_container default action to :run from :run_if_missing.


  • #504 - stop and start should wait for the container to complete
  • #506 - restart to use the api endpoint


  • Allowing nil for docker_registry properties


  • Fixing LocalJumpError caused by next instead of return helper methods


  • #491 - Return best host for docker to connect
  • #495 - iptables opts shouldn't be forced to true/false
  • #497 - Removing property_is_set so timeout pick up defaults


  • Converted resources from LWRP to Chef 12.5 Custom Resources
  • Added dependency on compat_resource cookbook, works back to 12.0.0
  • Various fixes around sysvinit scripts in docker_service
  • Total backwards compatibility with recipes written for chef-docker 1.x


  • Handling NilClass error on docker_image default creds handling


  • Adding a 20 try timeout to the docker_wait_ready block


  • #484 - Fall back to creds for on image pull


  • #438 - Adding per-resource host property to docker_image and docker_container


  • Allow :redeploy on missing containers
  • TLS fixes
  • Updating sysvinit script to use docker_opts


  • Adding Label support for docker_container


  • Switching docker_service sysvinit provider from ::Insserv to ::Debian


  • Fix for docker_service to allow setting icc to false
  • Get chefspec happy on latest nightly chefdk again
  • Accepting both String and Array for default_ulimit


  • Refactoring broken sysvinit scripts
  • #421 - Adding docker-wait-ready blocks
  • Discovered TLS verification is broken. Disabling for now.


  • Fixing broken Chef::Provider::DockerService::Execute


  • Various fixes around sysvinit


  • docker_container - enabling Docker CLI syntax for ulimits


  • Adding tests for #416


  • Replacing docker_log helper function with docker_service.logfile


  • Creating DockerHelpers::Service namespace and moving appropriate methods into it.
  • Start of load_current_resource implemenation for docker_service for #423


  • notifying new_resource to restart when updating docker_bin


  • Registry authentication fixes and slight docker_image refactor
  • Updates for foodcritic and travis


  • #451 Changed default docker_container memory_swap to prevent unwanted redeploys.


  • #447 - Fix for log-config driver type
  • #448 - Fix unwanted redeploys due to calculation of exposed_port changes.
  • #450 - Treat docker_container volumes attribute as unmanaged to prevent redeploys


  • #427 - Qualify port bindings with protocol even when implicitly tcp.
  • #443 - Added docker_container log_driver and log_opts attributes.
  • Changing docker_image read_timeout default to 60
  • Misc cleanup for README and Gemfile


  • #432 Fixing :redeploy so it returns the container the correct state (create vs run)
  • Fixing blank variable interpolation in tmpfiles.d/docker.conf


  • Adding journald gelf and fluentd to logging driver whitelist
  • Allow specifying multiple DNS servers for docker_service


  • Cleaning up code duplication across docker_service init templates


  • switching from to


  • Updating checksum in specs for 1.8.2
  • Downloading over https
  • Removing nonexistent action :enable from docker_service


  • #410 - Fixing Dockerfile override behavior for hostname and ulimits on api 1.9
  • Upgrading to Docker 1.8.2 for default version


  • Fixing Dockerfile / resource override behavior for working_dir


  • Removed patch authentication header to bundled docker-api gem
  • Moved credential reset logic into image provider


  • #379 and #356 - patching vendored docker-api gem authentication headers


  • Handling the situation where USER COMMAND ENV and ENTRYPOINT are set in an image build, but not in a docker_container resource


  • Raising error on authentication error in docker_registry
  • Allowing an array for storage_opts in docker_service
  • Fixing parsed_checksum in docker_service
  • Fixing entrypoint parsing in docker_container


  • Removing leftover log resources used for debugging in development


  • Fixing up regressions in older Docker API versions introduced in cookbook release 1.0.15 _ Adding @api_version instance variable
  • Adding serialized_log_config
  • Adding parsed_network_mode


  • Adding CIDR support for docker_service bip property


  • #309 - Adding bits to enable container re-deployment when properties change


  • Adding api read and write timeouts


  • Fixing docker_service CLI argument generation for log-driver mtu and pidfile


  • Fixing platform_family string (redhat -> rhel) in docker_service sysvinit provider


  • Renaming retries to api_retries to not conflict with Chef::Resource


  • Accepting userland-proxy flag
  • Fix bug in parsed_storage_driver method
  • Correcting usage of ip_forwarding flag
  • Let Docker pick --log-level instead of defaulting to :info


  • Fixing Upstart respawn limit


  • #382 - Fixing docker_service to accept an array for storage_opt


  • #381 - Removing prepended whitespace in DOCKER_OPTS


  • #369 - Fixing up HostConfig.NetworkMode to work as expected


  • #241 - Only updating docker_image resource on :pull if new bits were pulled on tag (useful for latest)
  • Changing docker_image default action to :pull


  • #368 - Fixing port property to be kind_of [String, Array]
  • Adding missing detach property. Defaulting to false.


  • #366 - Using docker_kernel instead of docker_arch in parsed_checksum


  • #365 - Fix logic for parsing an array of hosts
  • #363 - Allow an array for port property


  • Switching docker_service default TLS setting to false to it works out of the box


  • vendoring the docker-api rubygem
  • docker_image and docker_container resources now use speak to the Docker Remote API instead of shelling out
  • docker_containers must now have unique names
  • "volumes" property now acts like the VOLUMES directive in a Dockerfile
  • added "binds" property for local mounting
  • standardizing on "repo" and "tag" as components of an image identifier

v0.43.0 (2015-07-28)

  • Updating README to reflect docker_image and docker_tag reality
  • Implementing rm, noprune, nocache and force on docker_image

v0.42.0 (2015-07-28)

  • removing docker_image :load and :tag action
  • adding docker_tag resource
  • renaming docker_tag image_name property to :repo; creating alias
  • implementing docker_image :push action

v0.41.0 (2015-07-26)

  • vendoring docker-api rubygem
  • beginning work to convert docker_image to use native API instead of shelling out
  • changing docker_image default action to :pull_if_missing
  • removing some deprecated interfaces

v0.40.3 (2015-07-14)

  • remove --no-trunc from docker container status in sysvinit script
  • #334 - docker_container tag property (issue 320)
  • #331 - docker_container ulimit property
  • #328 - Upstart job respawn status detection
  • #326 - Upstart job restart behavior fix sysvinit script examples
  • #236 - README#324 - Reference DOCKER_OPTS Amazon Linux#325

v0.40.2 (2015-07-14)

  • Support for older Chef versions

v0.40.1 (2015-07-08)

  • Changing host property to kind_of Array

v0.40.0 (2015-06-29)

Important changes with this release:

  • Recipes replaced with docker_service resource*
  • Removing a ton of dependencies
  • Storage backends, kernel module loading, etc should now be handled externally
  • Updating for Docker 1.6.2
  • Preferring binary install method to OS packages

IMPORTANT * attributes/ will be removed in the next release. * most are currently non-functional * All options will be driven through resource properties


Please note some important changes with this release:

  • The sysconfig DOCKER_OPTS improvement in #250 can potentially change the behavior of that environment variable as it now allows shell interpolation of any embedded variables. This should not affect most environments. If your DOCKER_OPTS does contains any expected $, please escape via \$ for previous behavior or be sure it will behave as expected before upgrading.
  • The daemon restart option (which is deprecated) has been defaulted to nil instead of false when node['docker']['container_init_type'] is set to prevent issues with container restart policies. If you're dependent on the daemon option, please be sure to update your node['docker']['restart'] appropriately.
  • This release also defaults systemd docker host to fd:// to match upstream, enabling socket activation properly. Adjust node['docker']['host'] if necessary.

  • Bugfix: #239: Upstart: install inotify tools only once (avoid CHEF-3694 warning) (thanks jperville)

  • Bugfix: #240: Fixed dead service containers not being restarted on docker_container :run (thanks jperville)

  • Bugfix: #244: Made docker_container action :remove remove the actual upstart service file (thanks jperville)

  • Bugfix: #246: Lengthen shell_out timeout as workaround for slow docker_container action stop (thanks jperville)

  • Bugfix: #258: Fix checking docker container status on debian (thanks fxposter)

  • Bugfix: #260: Fix accidental port changing when using systemd templates (thanks fxposter)

  • Bugfix: #266: Get tests working on master (thanks tduffield)

  • Bugfix: #267: Replace outdated testcontainerd (thanks tduffield)

  • Bugfix: #269: Fix tests on Travis by following Rubocop style guidelines (container LWRP) (thanks fxposter)

  • Bugfix: #280 / #281: Fix port handling when omitted in container LWRP (thanks databus23)

  • Bugfix: #284 / #285: runit finish script to stop a container (thanks xmik)

  • Bugfix: [#288][]: Fix docker.socket unit for RHEL7 (thanks databus23)

  • Bugfix: #292: readme formatting fix (thanks wormzer)

  • Improvement: #208: Add CentOS/RHEL 7 support (thanks dermusikman and intoximeters)

  • Improvement: #232: Added support for insecure-registry docker daemon option (thanks jperville)

  • Improvement: #233 / #234: Added support for registry-mirror docker daemon option (thanks jperville and tarnfeld)

  • Improvement: #237: Deprecate the restart daemon option (thanks jperville)

  • Improvement: #238: Added docker_container restart attribute (thanks jperville)

  • Improvement: #242: Added docker_container action :create (thanks jperville)

  • Improvement: #245: Add a Gitter chat badge to (thanks tduffield)

  • Improvement: #250: Use double-quotes for DOCKER_OPTS (thanks rchekaluk)

  • Improvement: #259: Use registry on image inspection (thanks fxposter)

  • Improvement: #263: Add additional_host attribute to container resource (thanks fxposter)

  • Improvement: #264 / #265: Access on port 80 (thanks sauraus)

  • Improvement: #268: Updated the /etc/init/docker.conf template (thanks jperville)

  • Improvement: #276: Added support for docker options device and cap-add (thanks hvolkmer)

  • Improvement: #279: Allow docker_container memory to have String value (eg. memory='1G') (thanks jperville)

  • Improvement: #287: redhat 7 does not need the epel repository (thanks databus23)

  • Improvement: #289: Update systemd service/socket files (from upstream) (thanks databus23)

  • Improvement: #296: Default systemd to fd:// as well as use upstream MountFlags=slave and LimitCORE=infinity

  • Improvement: #297: Update docker daemon SysV init scripts with upstream improvements

  • Improvement: #298: Further deprecate daemon restart flag by default, which interferes with restart policies


  • Bugfix: #181: Fixed remove_link action (thanks jperville).
  • Bugfix: #185: Fix for non idempotent run action on docker_container (thanks bplunkert).
  • Bugfix: #188: Applied temporary workaround to address the libcgmanager error to users running LXC on Ubuntu 14.04.
  • Bugfix: #196: Address Helpers module naming conflict (thanks sethrosenblum).
  • Bugfix: #200: Fix how service actions are handled by docker_container resource (thanks brianhartsock).
  • Bugfix: #202: Correctly check for the kernel.release version on Debian (thanks Tritlo, paweloczadly).
  • Bugfix: #203: Fix pull notifications for tagged images (thanks hobofan).
  • Bugfix: #205: Fix assignments in docker_container provider (thanks jperville).
  • Bugfix: #206: Fixes to container name detection (thanks jperville).
  • Enhancement: #217: Explicitly set key and keyserver for docker apt repository (thanks sethrosenblum).
  • Improvement: Pull in init script changes from upstream for sysv and systemd.
  • Bugfix: #219: Explicitly set Upstart provider for Ubuntu 14.04 and 14.10 (thanks methodx).
  • Improvement: #220: Create graph directory if it is specified (thanks jontg).
  • Bugfix: #224: Fix runit container template to properly use exec (thanks waisbrot).
  • Bugfix: Appropriately check for LXC when using the binary recipe on Fedora.
  • Bugfix: Implement workaround for docker/docker#2702 on Ubuntu 14.10.
  • Enhancement: #221: Added NO_PROXY support (thanks jperville).
  • Various Test Suite Modifications
    • Enhancement: #192: Allow image tags in serverspec matching (thanks bplunkert).
    • Bugfix: #223: Convert a few occurrences of old 'should' rspec syntax to 'expect' (thanks jperville).
    • Disable a few platforms that are experiencing bugs unrelated to core functionality.
    • Address ChefSpec 4.1 deprecation warnings.
    • Update Berksfile to reference instead of


  • Bugfix: #171: Default Ubuntu 14.04 to Docker PPA
  • Bugfix: #175: Do not set --selinux-enabled in opts unless explicitly defined for older versions
  • Bugfix: #176: Use docker host attribute in docker_container Upstart inotifywait


  • Bugfix: #172: Generate no cidfile by default, even when deploying as service
  • Bugfix: #173: Updated docker upstart script (should fix service docker restart)


After a long personal hiatus (sorry!), this is the last minor release before 1.0 of the cookbook. If you can handle the Docker port number change and don't use anything deprecated, upgrading to 1.0.X from 0.35.X of the cookbook should be very easy.

This release has a bunch of changes and hasn't been fully tested yet. Wanted to get it out there for broad testing. Please use caution!

Major kudos to @tduffield for the #147 PR, which includes: * Binary Installation * Added missing dependency resolution for using the binary. * Dependency Checks * Added docker::dep_check that will take an action if certain dependencies are not met. * node[docker][alert_on_error_action] = :fatal will kill the chef run and print the error message. * node[docker][alert_on_error_action] = :warn will print the error message but continue with the chef run. There is no guarantee that it will succeed though. * KitchenCI * Copied MiniTests to ServerSpec Tests * Added new platforms (Debian 7.4) * Changed provisioner from chef-solo to chef-zero * Removed Ubuntu 12.10 because it is not supported by Docker and the Kernel is bad and fails all the tests. * Removed tests for the source recipe. The dotcloud/docker repo actually doesn’t build any Go deliverables. * I think that the source recipe needs to be completely refactored.

Other awesome work merged:

  • #142: Bugfix: Redeploy breaks when a link is present
  • #139/#153/#154/#156/#157: Bugfix: container/image ID given as nil, fixes deprecated -notrunc
  • #164: Bugfix: Removing a container should also remove its cidfile
  • #166: Bugfix: Fix docker_inspect_id for Docker 1.0+
  • #158/#160/#165: Bugfix: Fix NameError when displaying error messages for timed-out commands
  • #169: Bugfix: Specify Upstart as service provider for cgroup on Ubuntu 14.04 (workaround for CHEF-5276, fixed in Chef 11.14)
  • #137/#138: Enhancement: Experimental Ubuntu 14.04 LTS support
  • #144: Enhancement: Experimental Amazon linux support
  • #150/#152: Enhancement: Add net attribute, deprecate networking
  • #168: Enhancement: Allow override of package name
  • #161: Enhancement: Add minitest case for SysV service
  • #149: Enhancement: Add --selinux-enabled daemon flag
  • Enhancement: container LWRP remove_link and remove_volume actions
  • Enhancement: Add storage-opt daemon flag
  • Enhancement: Add Docker 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.0.1 binary checksums


  • #141: Bugfix/Enhancement: Fix and enhance docker_image pull/push behavior with Docker 0.10
    • Removes deprecated --registry and --tag CLI args from docker_image pull
    • Adds support for registry attribute usage in docker_image pull and push
    • Adds support for tag attribute usage in docker_image push


  • #134: Bugfix: Fix docker_registry login handling, fixes #114


Attributes now available for all docker daemon flags as well as system IP forwarding.

  • REMOVED: container_dns* attributes (use replacement dns* attributes on daemon for all containers or docker_container dns* attributes instead)
  • DEPRECATED: bind_* attributes to match docker terminology (use host attribute instead)
  • Bugfix: #132: Do Not Explicitly Set storage_driver Attribute
  • Bugfix: #133: Remove explicit false defaults in resources
  • Bugfix: #114: Error executing action login on resource docker_registry
  • Enhancement: #115: Add IP forwarding attributes
  • Enhancement: #116: Docker 0.10.0: Add --no-prune to docker rmi
  • Enhancement: #117: Docker 0.10.0: Add --output flag to docker save (as well as tag support)
  • Enhancement: #118: Docker 0.10.0: Add --input flag to docker load
  • Enhancement: #119: Docker 0.10.0: Add support for --env-file to load environment variables from files
  • Enhancement: #120: Docker 0.10.0: Deprecate docker insert
  • Enhancement: #123: Add docker kill --signal
  • Enhancement: #124: Add all docker daemon options as attributes
  • Enhancement: #125: Use dns* attributes to set docker daemon options, not defaults per-container
  • Enhancement: #128: Add checksum attribute for binary downloads
  • Enhancement: #126: Set long option names for specified docker daemon options
  • Enhancement: #127: Use a helper function to specify single line docker daemon options


  • Bugfix: #112: Defines runner methods for ChefSpec matchers
  • Bugfix: #113: [D-15] Fedora 19 installs Docker 0.8.1, does not have the -G or -e flag


This release deprecates AUFS/device-mapper handling from chef-docker, but provides backwards compatibility by still including the default recipe of the new cookbooks. Please update your dependencies, Github watching/issues, and recipes to reflect the two new community cookbooks: * aufs: aufs on community site / chef-aufs on Github * device-mapper: device-mapper on community site / chef-device-mapper on Github

  • Bugfix: #109: Remove on lxc-net start from docker Upstart
  • Enhancement: #88: Migrate AUFS logic to separate cookbook
  • Enhancement: #90: Migrate device-mapper logic to separate cookbook
  • Enhancement: #110: Add docker Upstart pre-start script and limits configuration
  • Enhancement: #105: Add --label for docker run
  • Enhancement: #106: Add --opt for docker run
  • Enhancement: #107: Add --networking for docker run
  • Enhancement: #108: Add --dns-search for docker run
  • Enhancement: #104: Add TMPDIR
  • Enhancement: #111: Add DOCKER_LOGFILE configuration
  • Enhancement: container_dns* attributes to set --dns and --dns-search for all containers


  • Bugfix: #101: Explicitly install lxc on Ubuntu (when lxc is exec_driver; continue to fully support LXC as a default installation path since its been since Docker 0.1)
  • Bugfix: #103: Fix host argument (in docker run)


  • Bugfix: #98: Ensure Ruby 1.8 syntax is supported
  • Bugfix: Skip empty Array values in cli_args helper


If you're using CentOS/RHEL with EPEL, upcoming docker-io 0.9.0 package upgrade can be tracked at Bugzilla 1074880

This release includes Docker 0.9.0 changes and defaults, such as setting exec_driver to libcontainer ("native"), setting -rm on docker build, double dash arguments on the CLI, additional flags, etc.

  • DEPRECATED: Rename storage_type attribute to storage_driver to match Docker terminology (storage_type will be removed in chef-docker 1.0)
  • DEPRECATED: Rename virtualization_type attribute to exec_driver to match Docker terminology (virtualization_type will be removed in chef-docker 1.0)
  • Bugfix: #80: Use double dashed arguments on CLI
  • Bugfix: Surround String values on CLI with quotes
  • Enhancement: #77: Improved docker ps handling
  • Enhancement: #78: Docker 0.9.0: Make --rm the default for docker build
  • Enhancement: #81: Docker 0.9.0: Add a -G option to specify the group which unix sockets belong
  • Enhancement: #82: Docker 0.9.0: Add -f flag to docker rm to force removal of running containers
  • Enhancement: Add -f flag for docker rmi to force removal of images
  • Enhancement: #83: Docker 0.9.0: Add DOCKER_RAMDISK environment variable to make Docker work when the root is on a ramdisk
  • Enhancement: #84: Docker 0.9.0: Add -e flag for execution driver
  • Enhancement: #85: Docker 0.9.0: Default to libcontainer
  • Enhancement: #86: Add Chefspec LWRP matchers


Lots of init love this release. Now supporting runit.

Please note change of storage_type attribute from devmapper to devicemapper (and associated recipe name change) to match docker's name for the driver.

Cookbook now automatically adds -s option to init configurations if storage_type is defined, which is it by default. If you were specifying -s in the options attribute, you no longer need to do so. In my quick testing, docker daemon doesn't seem to mind if -s is specified twice on startup, although you'll probably want to get rid of the extra specification.

I've also dropped the LANG= and LC_ALL= locale environment settings from the Upstart job configuration. Its not specified in the default docker job. Please open an issue in docker project and here if for some reason this is actually necessary.

  • Bugfix: Match devicemapper storage_type attribute to match docker driver name (along with recipe name)
  • Enhancement: #72: Add initial runit init_type
  • Enhancement: #60: Automatically set docker -d -s from storage_type attribute
  • Enhancement: Simplify default/sysconfig file into one template (docker.sysconfig.erb) and source into SysV/Upstart init configurations
  • Enhancement: Add Debian docker daemon SysV init template


  • Bugfix: #68: Fix CommandTimeout handling in LWRPs
  • Bugfix: #67: Fix argument order to pull when tag specified


Public or private registry login should now correctly occur and login once per credentials change.

  • Bugfix: #64: Correct CLI ordering of registry login
  • Bugfix: #65: login command skipped in registry provider
  • Enhancement: registry provider current resource attributes loaded from .dockercfg


Awesome work by @jcrobak to close out two issues (#49 and #52) with #62. Note change below in image build action.

  • Bugfix: #52: return codes of docker commands not verified
  • Bugfix: Add missing pull_if_missing action to image resource
  • Enhancement: #56: Switch build action to build_if_missing, build action now builds each run (be careful with image growth!)
  • Enhancement: #59: Add Mac OS X installation support
  • Enhancement: #49: Add docker_cmd_timeout attribute and daemon verification
  • Enhancement: #58: Add container redeploy action
  • Enhancement: #63: Add group_members attribute and group recipe to manage docker group


  • Enhancement: #57: Implement id checking when determining current_resource
    • Added to both container and image LWRPs
  • Enhancement: Set created and status attributes for current container resources (for handlers, wrappers, etc.)
  • Enhancement: Set created and virtual_size attributes for image resource (for handlers, wrappers, etc.)


  • Enhancement: #55: image LWRP pull action now attempts pull every run (use pull_if_missing action for old behavior)


  • Bugfix: #51: container LWRP current_resource attribute matching should also depend on container_name


  • Enhancement: #48: Accept FalseClass CLI arguments (also explicitly declare =true for TrueClass CLI arguments)


  • Bugfix: Add SysV init script for binary installs
  • Enhancement: Add storage_type and virtualization_type attributes
  • Enhancement: Initial devmapper support for binary installs on CentOS/Ubuntu
  • Enhancement: #47 Debian-specific container SysV init script
  • Enhancement: #46 Add rm attribute for build action on image LWRP
  • Enhancement: Add no_cache attribute for build action on image LWRP


  • Bugfix: #44 Add missing run attribute for commit action on container LWRP


  • DEPRECATED: image LWRP dockerfile, image_url, and path attributes (replaced with source attribute)
  • Bugfix: Use docker_cmd for container LWRP remove and restart actions
  • Enhancement: Add registry LWRP with login action
  • Enhancement: Standardize on "smart" and reusable destination and source attributes for container and image LWRPs to define paths/URLs for various operations
  • Enhancement: Add commit, cp, export, and kill actions to container LWRP
  • Enhancement: Add insert, load, push, save, and tag actions to image LWRP
  • Enhancement: Add local file and directory support to import action of image LWRP
  • Enhancement: Add Array support to container LWRP link attribute
  • Enhancement: Cleaned up LWRP documentation


  • Bugfix: #43 Better formatting for container LWRP debug logging


  • Bugfix: Explicitly declare depends and supports in metadata
  • Bugfix: Handle container run action if container exists but isn't running


  • Bugfix: #42 fix(upstart): Install inotify-tools if using upstart
  • Enhancement: #38 Allow a user to specify a custom template for their container init configuration


  • Bugfix: #39 Fix NoMethodError bugs in docker::aufs recipe


  • Bugfix: Default oracle init_type to sysv
  • Enhancement: Experimental Debian 7 package support
  • Enhancement: Use new yum-epel cookbook instead of yum::epel recipe
  • Enhancement: Use value_for_platform where applicable in attributes, requires Chef 11


  • Enhancement: #35 Use kernel release for package name on saucy and newer
  • Enhancement: #37 dont include aufs recipe on ubuntu 13.10 and up; don't require docker::lxc for package installs


  • Enhancement: #31 More helpful cmd_timeout error messages and catchable exceptions for container (Chef::Provider::Docker::Container::CommandTimeout) and image (Chef::Provider::Docker::Image::CommandTimeout) LWRPs



  • Bugfix: #30 apt-get throws exit code 100 when upgrading docker


  • Enhancement: Add node['docker']['version'] attribute to handle version for all install_type (recommended you switch to this)
  • Enhancement: default['docker']['binary']['version'] attribute uses node['docker']['version'] if set
  • Enhancement: Add version handling to package recipe


  • Bugfix: Remove ExecStartPost from systemd service to match change in docker-io-0.7.0-13


  • Enhancement: CentOS/RHEL 6 package support via EPEL repository
  • Enhancement: Fedora 19/20 package support now in updates (stable) repository
  • Enhancement: sysv recipe and init_type


  • Removed: configuration recipe (see bugfix below)
  • Removed: config_dir attribute (see bugfix below)
  • Bugfix: Revert back to specifying HTTP_PROXY and "DOCKER_OPTS" natively in systemd/Upstart (mostly to fix up systemd support)
  • Bugfix: Add systemctl --system daemon-reload handling to systemd service template
  • Bugfix: Add || true to container systemd/Upstart pre-start in case already running
  • Bugfix: Locale environment already handled automatically by systemd
  • Enhancement: Switch Fedora package installation from goldmann-docker to Fedora updates-testing repository
  • Enhancement: Switch container LWRPs to named containers on Fedora since now supported
  • Enhancement: Update docker systemd service contents from docker-io-0.7.0-12.fc20
    • Add: Wants/After firewalld.service
    • Add: ExecStartPost firewall-cmd
    • Remove: ExecStartPost iptables commands


  • Bugfix: Remove protocol from docker systemd ListenStreams
  • Bugfix: Lengthen shell_out timeout for stop action in container LWRP to workaround Fedora being slow
  • Enhancement: Add service creation to container LWRP by default
    • Please thoroughly test before putting into production!
    • set['docker']['container_init_type'] = false or add init_type false for the LWRP to disable this behavior
  • Enhancement: Add configuration recipe with template
  • Enhancement: Add container_cmd_timeout attribute to easily set global container LWRP cmd_timeout default
  • Enhancement: Add image_cmd_timeout attribute to easily set global image LWRP cmd_timeout default
  • Enhancement: Add cookbook attribute to container LWRP
  • Enhancement: Add init_type attribute to container LWRP
  • Enhancement: Add locale support for Fedora
  • Enhancement: Fail Chef run if docker run command errors


  • Enhancement: Fedora 19/20 package support via Goldmann docker repo
  • Enhancement: docker.service / docker.socket systemd support
  • Enhancement: Add node['docker']['init_type'] attribute for controlling init system


  • Bugfix: #27 Only use command to determine running container if provided
  • Bugfix: #28 Upstart requires full stop and start of service instead of restart if job configuration changes while already running. Note even initctl reload-configuration isn't working as expected from
  • Enhancement: #26 Add ability to set package action


  • Bugfix: Move LWRP updated_on_last_action(true) calls so only triggered when something actually gets updated
  • Enhancement: Add container LWRP wait action
  • Enhancement: Add attach and stdin args to container LWRP start action
  • Enhancement: Add link arg to container LWRP remove action
  • Enhancement: Use cmd_timeout in container LWRP stop action arguments


  • Bugfix: Add default bind_uri (nil) to default attributes
  • Enhancement: #24 bind_socket attribute added


  • DEPRACATION: container LWRP Fixnum port attribute: use full String notation from Docker documentation in port attribute instead
  • DEPRACATION: container LWRP public_port attribute: use port attribute instead
  • Enhancement: Additional container LWRP attributes:
    • cidfile
    • container_name
    • cpu_shares
    • dns
    • expose
    • link
    • lxc_conf
    • publish_exposed_ports
    • remove_automatically
    • volumes_from
  • Enhancement: Support Array in container LWRP attributes:
    • env
    • port
    • volume


  • Bugfix: Set default cmd_timeout in image LWRP to 300 instead of 60 because downloading images can take awhile
  • Enhancement: Change docker_test Dockerfile FROM to already downloaded busybox image instead of ubuntu
  • Enhancement: Add vagrant-cachier to Vagrantfile

Other behind the scenes changes: * Made cookbook code Rubocop compliant * Move licensing information to LICENSE file * Updated .travis.yml and Gemfile


  • Enhancement: #22 cmd_timeout, path (image LWRP), working_directory (container LWRP) LWRP attributes
  • Bugfix: #25 Install Go environment only when installing from source


  • Fix to upstart recipe to not restart service constantly (only on initial install and changes)


  • image LWRP now supports non-stdin build and import actions (thanks @wingrunr21!)


  • Fix in aufs recipe for FC048 Prefer Mixlib::ShellOut


Lots of community contributions this release -- thanks! * image LWRP now supports builds via Dockerfile * Additional privileged, public_port, and stdin parameters for container LWRP * Support specifying binary version for installation * Fix upstart configuration customization when installing via Apt packages * Default to Golang 1.1


  • Use HTTPS for Apt repository


  • Update APT repository information for Docker 0.6+


  • Change Upstart config to start on runlevels [2345] instead of just 3


  • Change env HTTP_PROXY to export HTTP_PROXY in Upstart configuration


  • Add bind_uri and options attributes


  • Add http_proxy attribute


  • Docker now provides precise/quantal/raring distributions for their PPA
  • Tested Ubuntu 13.04 support


  • Initial container LWRP


  • Initial image LWRP


  • Initial release

2.2.9 passed Foodcritic.