I really want to use bridge=docker1 but cannot create docker1 until the daemon is up, so I use bridge=none for now and will create the new bridge when the Daemon is up (will this work?). I also have a config file at /etc/docker/daemon-docker-prod.json
{
"data-root": "/home/docker_extra_root_dir"
}
However, when I run the command I get continuous errors, e.g:
ERRO[2025-11-07T13:16:01.197165973Z] failed to process event container=cfbc653d38e16cc8236e4d965c7cfd47378644e1d9dc7a63a62d6d92d573ea40 error="could not find container cfbc653d38e16cc8236e4d965c7cfd47378644e1d9dc7a63a62d6d92d573ea40: No such container: cfbc653d38e16cc8236e4d965c7cfd47378644e1d9dc7a63a62d6d92d573ea40" event=exit event-info="{cfbc653d38e16cc8236e4d965c7cfd47378644e1d9dc7a63a62d6d92d573ea40 ca38900f5c5eee3f19dc2ef562865bc4fce22b3753762ed7e81209285b7d8a8834502 0 2025-11-07 13:16:01.19664609 +0000 UTC <nil>}" module=libcontainerd namespace=moby
If I look up the container IDs in the errors, I see they are actually containers that the 1st daemon is running! How does the 2nd daemon even know those exist? Why is it trying to mess with them? I thought the data-root setting in the json should ensure the two daemons donât know about each other. Is there another setting I need to change?
I validated the json config OK, and the other daemon has json config that just says "hosts": ["fd://"] . Any advice welcome.
First of all, I have no idea how to run two docker daemons on a single host, unless both are either run in separate lxc containers or vms. It doesnât make sense to me to run two rootfull daemons on the same host.
Anyhow, I wonder how the two docker instances are distinguished on containerd level.
After all both delegate container and starting with docker v29 the image handling to containerd.
Unless there is a way to specify a different dockerd namespace for each docker instance, I am not sure how this is supposed to work, as the state would end up in the same containerd instance. Docker uses the moby namespace in containerd. I have no idea if itâs possible to configure a different namespace per instance.
You can list existing namespaces and containers like this:
sudo ctr namespaces list
sudo ctr --namespace moby containers list
Update:
it seems you can configure the containerd-namespace it in the deamon.json:
containerd-namespace was the variable I needed, thanks Itâs a bit of a miss that Dockerâs own guide on running multiple daemons doesnât mention the need to set a different namespace for each one!
But I now have the 2nd daemon up and not throwing errors. I am finding that the daemons are interfering with each otherâs IPTABLES rules, but I was expecting that and will see if I can solve it by changing iptables=true and the bridge settings.
We can share this issue with Docker, but if you want to directly contribute, you can click on âRequest changesâ in the documentation in the top right corner and ask for extending the documentation.
And if you think @meyayâs post gave you the solution you were looking for, please mark his post as âSolutionâ by clicking on the gray checkbox icon.
Do you guys have any idea how to get two daemons to cooperate with iptables=true set on both? If I have one daemon up with some docker networks live, and then bring up the other one, the second one wipes all the iptables rules (and obviously breaks the existing networks). I was expecting this, given the documentation ( dockerd | Docker Docs ) but I was hoping it might be possible to put the rules into different namespaces or something? It seems unfortunate if there isnât any way to prevent the two sets of iptables from collidingâŠ
You can run the second Docker daemon in a Docker conatiner (or LXC container or VM), but that would mean you would not have access to container IPs and you would need a proxy to access ports of the containers running in another container.
He also mentioned ârootful daemonsâ. Which means you run the daemon as root.
You can run Rootless Docker (the opposite of rootful), which is an isolated daemon under your home folder running as your user.
Of course, that will also be different and not everything would work the same way as normally.
I had a quick look at rootless docker before, but Iâm not sure how it would solve the iptables collision problem? The guides on rootless docker tend not to mention iptables at all, which makes me think that are probably being mostly used by people not running docker networks. How would running the daemon as a different user put the iptables rules into non-clashing spaces?
Since the daemon running as your user, it uses a different network driver so it doesnât need to change iptables rules as far as I know. The whole network is isolated. But that is why ther e are limitations and differences so I recommend reading the whole rootless documentation I linked..
Iâve done a bit more testing of this, and I can confirm that using --iptables=true even with --bridge=none or with --bridge=other-network docker will nuke all the iptables entries of the 1st daemon when the 2nd daemon is started. This is annoying because most sources seem to suggest that using a different bridge driver on the two daemons should avoid networking clashes . Only running one of the daemons with --iptables=false prevents iptables nonsense, which of course makes that daemon largely useless as there is no network connectivity to docker sub-nets on itâŠ
Itâs a bit of a miss that Dockerâs own guide on running multiple daemons doesnât mention the need to set a different namespace for each one!
. Only running one of the daemons with