Merge pull request #4712 from dvdksn/docs-tier1-fresshness-q4

docs: editorial improvements, typo fixes

docs/reference/commandline/attach.md

@@ -22,13 +22,14 @@ Attach local standard input, output, and error streams to a running container
 
 Use `docker attach` to attach your terminal's standard input, output, and error
 (or any combination of the three) to a running container using the container's
-ID or name. This allows you to view its ongoing output or to control it
+ID or name. This lets you view its output or control it interactively, as
-interactively, as though the commands were running directly in your terminal.
+though the commands were running directly in your terminal.
 
-> **Note:**
+> **Note**
-> The `attach` command will display the output of the `ENTRYPOINT/CMD` process.  This
+>
-> can appear as if the attach command is hung when in fact the process may simply
+> The `attach` command displays the output of the container's `ENTRYPOINT` and
-> not be interacting with the terminal at that time.
+> `CMD` process. This can appear as if the attach command is hung when in fact
+> the process may simply not be writing any output at that time.
 
 You can attach to the same contained process multiple times simultaneously,
 from different sessions on the Docker host.
@@ -38,44 +39,41 @@ container. If `--sig-proxy` is true (the default),`CTRL-c` sends a `SIGINT` to
 the container. If the container was run with `-i` and `-t`, you can detach from
 a container and leave it running using the `CTRL-p CTRL-q` key sequence.
 
-> **Note:**
+> **Note**
+>
 > A process running as PID 1 inside a container is treated specially by
 > Linux: it ignores any signal with the default action. So, the process
-> will not terminate on `SIGINT` or `SIGTERM` unless it is coded to do
+> doesn't terminate on `SIGINT` or `SIGTERM` unless it's coded to do so.
-> so.
 
-It is forbidden to redirect the standard input of a `docker attach` command
+You can't redirect the standard input of a `docker attach` command while
-while attaching to a TTY-enabled container (using the `-i` and `-t` options).
+attaching to a TTY-enabled container (using the `-i` and `-t` options).
 
-While a client is connected to container's `stdio` using `docker attach`, Docker
+While a client is connected to container's `stdio` using `docker attach`,
-uses a ~1MB memory buffer to maximize the throughput of the application.
+Docker uses a ~1MB memory buffer to maximize the throughput of the application.
 Once this buffer is full, the speed of the API connection is affected, and so
 this impacts the output process' writing speed. This is similar to other
-applications like SSH. Because of this, it is not recommended to run
+applications like SSH. Because of this, it isn't recommended to run
-performance critical applications that generate a lot of output in the
+performance-critical applications that generate a lot of output in the
-foreground over a slow client connection. Instead, users should use the
+foreground over a slow client connection. Instead, use the `docker logs`
-`docker logs` command to get access to the logs.
+command to get access to the logs.
 
 ## Examples
 
 ### Attach to and detach from a running container
 
-The following example starts an ubuntu container running `top` in detached mode,
+The following example starts an Alpine container running `top` in detached mode,
 then attaches to the container;
 
 ```console
-$ docker run -d --name topdemo ubuntu:22.04 /usr/bin/top -b
+$ docker run -d --name topdemo alpine top -b
 
 $ docker attach topdemo
 
-top - 12:27:44 up 3 days, 21:54,  0 users,  load average: 0.00, 0.00, 0.00
+Mem: 2395856K used, 5638884K free, 2328K shrd, 61904K buff, 1524264K cached
-Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+CPU:   0% usr   0% sys   0% nic  99% idle   0% io   0% irq   0% sirq
-%Cpu(s):  0.1 us,  0.1 sy,  0.0 ni, 99.8 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
+Load average: 0.15 0.06 0.01 1/567 6
-MiB Mem :   3934.3 total,    770.1 free,    674.2 used,   2490.1 buff/cache
+  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
-MiB Swap:   1024.0 total,    839.3 free,    184.7 used.   2814.0 avail Mem
+    1     0 root     R     1700   0%   3   0% top -b
-
-  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
-    1 root      20   0    7180   2896   2568 R   0.0   0.1   0:00.02 top
 ```
 
 As the container was started without the `-i`, and `-t` options, signals are
@@ -85,14 +83,15 @@ container:
 
 ```console
 <...>
-  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
-    1 root      20   0    7180   2896   2568 R   0.0   0.1   0:00.02 top^P^Q
+    1     0 root     R     1700   0%   7   0% top -b
+^P^Q
 ^C
 
 $ docker ps -a --filter name=topdemo
 
-CONTAINER ID   IMAGE          COMMAND             CREATED              STATUS                          PORTS     NAMES
+CONTAINER ID   IMAGE     COMMAND    CREATED          STATUS                       PORTS     NAMES
-4cf0d0ebb079   ubuntu:22.04   "/usr/bin/top -b"   About a minute ago   Exited (0) About a minute ago             topdemo
+96254a235bd6   alpine    "top -b"   44 seconds ago   Exited (130) 8 seconds ago             topdemo
 ```
 
 Repeating the example above, but this time with the `-i` and `-t` options set;
@@ -109,19 +108,17 @@ with `docker ps` shows that the container is still running in the background:
 ```console
 $ docker attach topdemo2
 
-top - 12:44:32 up 3 days, 22:11,  0 users,  load average: 0.00, 0.00, 0.00
+Mem: 2405344K used, 5629396K free, 2512K shrd, 65100K buff, 1524952K cached
-Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+CPU:   0% usr   0% sys   0% nic  99% idle   0% io   0% irq   0% sirq
-%Cpu(s): 50.0 us,  0.0 sy,  0.0 ni, 50.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
+Load average: 0.12 0.12 0.05 1/594 6
-MiB Mem :   3934.3 total,    770.6 free,    672.4 used,   2491.4 buff/cache
+  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
-MiB Swap:   1024.0 total,    839.3 free,    184.7 used.   2815.8 avail Mem
+    1     0 root     R     1700   0%   3   0% top -b
-
+read escape sequence
-  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
-    1 root      20   0    7180   2776   2452 R   0.0   0.1   0:00.02 topread escape sequence
 
 $ docker ps -a --filter name=topdemo2
 
-CONTAINER ID   IMAGE          COMMAND             CREATED         STATUS         PORTS     NAMES
+CONTAINER ID   IMAGE     COMMAND    CREATED          STATUS          PORTS     NAMES
-b1661dce0fc2   ubuntu:22.04   "/usr/bin/top -b"   2 minutes ago   Up 2 minutes             topdemo2
+fde88b83c2c2   alpine    "top -b"   22 seconds ago   Up 21 seconds             topdemo2
 ```
 
 ### Get the exit code of the container's command

docs/reference/commandline/build.md

@@ -60,11 +60,11 @@ pre-packaged tarball contexts and plain text files.
 
 When the `URL` parameter points to the location of a Git repository, the
 repository acts as the build context. The system recursively fetches the
-repository and its submodules. The commit history is not preserved. A
+repository and its submodules. The commit history isn't preserved. A
 repository is first pulled into a temporary directory on your local host. After
 that succeeds, the directory is sent to the Docker daemon as the context.
 Local copy gives you the ability to access private repositories using local
-user credentials, VPN's, and so forth.
+user credentials, VPNs, and so forth.
 
 > **Note**
 >
@@ -100,18 +100,18 @@ contexts:
 
 ### Tarball contexts
 
-If you pass an URL to a remote tarball, the URL itself is sent to the daemon:
+If you pass a URL to a remote tarball, the URL itself is sent to the daemon:
 
 ```console
 $ docker build http://server/context.tar.gz
 ```
 
 The download operation will be performed on the host the Docker daemon is
-running on, which is not necessarily the same host from which the build command
+running on, which isn't necessarily the same host from which the build command
 is being issued. The Docker daemon will fetch `context.tar.gz` and use it as the
 build context. Tarball contexts must be tar archives conforming to the standard
-`tar` UNIX format and can be compressed with any one of the 'xz', 'bzip2',
+`tar` Unix format and can be compressed with any one of the `xz`, `bzip2`,
-'gzip' or 'identity' (no compression) formats.
+`gzip` or `identity` (no compression) formats.
 
 ### Text files
 
@@ -122,7 +122,7 @@ Instead of specifying a context, you can pass a single `Dockerfile` in the
 $ docker build - < Dockerfile
 ```
 
-With Powershell on Windows, you can run:
+With PowerShell on Windows, you can run:
 
 ```powershell
 Get-Content Dockerfile | docker build -
@@ -136,8 +136,7 @@ By default the `docker build` command will look for a `Dockerfile` at the root
 of the build context. The `-f`, `--file`, option lets you specify the path to
 an alternative file to use instead. This is useful in cases where the same set
 of files are used for multiple builds. The path must be to a file within the
-build context. If a relative path is specified then it is interpreted as
+build context. Relative path are interpreted as relative to the root of the context.
-relative to the root of the context.
 
 In most cases, it's best to put each Dockerfile in an empty directory. Then,
 add to that directory only the files needed for building the Dockerfile. To
@@ -152,8 +151,7 @@ running at the time the build is cancelled, the pull is cancelled as well.
 
 ## Return code
 
-On a successful build, a return code of success `0` will be returned.  When the
+Successful builds return exit code `0`. Failed builds return a non-zero exit code.
-build fails, a non-zero failure code will be returned.
 
 There should be informational output of the reason for failure output to
 `STDERR`:
@@ -214,15 +212,15 @@ local directory get `tar`d and sent to the Docker daemon. The `PATH` specifies
 where to find the files for the "context" of the build on the Docker daemon.
 Remember that the daemon could be running on a remote machine and that no
 parsing of the Dockerfile happens at the client side (where you're running
-`docker build`). That means that *all* the files at `PATH` get sent, not just
+`docker build`). That means that all the files at `PATH` get sent, not just
-the ones listed to [*ADD*](https://docs.docker.com/engine/reference/builder/#add)
+the ones listed to [`ADD`](https://docs.docker.com/engine/reference/builder/#add)
 in the Dockerfile.
 
 The transfer of context from the local machine to the Docker daemon is what the
 `docker` client means when you see the "Sending build context" message.
 
 If you wish to keep the intermediate containers after the build is complete,
-you must use `--rm=false`. This does not affect the build cache.
+you must use `--rm=false`. This doesn't affect the build cache.
 
 ### Build with URL
 
@@ -252,7 +250,7 @@ Successfully built 377c409b35e4
 
 This sends the URL `http://server/ctx.tar.gz` to the Docker daemon, which
 downloads and extracts the referenced tarball. The `-f ctx/Dockerfile`
-parameter specifies a path inside `ctx.tar.gz` to the `Dockerfile` that is used
+parameter specifies a path inside `ctx.tar.gz` to the `Dockerfile` used
 to build the image. Any `ADD` commands in that `Dockerfile` that refers to local
 paths must be relative to the root of the contents inside `ctx.tar.gz`. In the
 example above, the tarball contains a directory `ctx/`, so the `ADD
@@ -274,7 +272,7 @@ $ docker build - < context.tar.gz
 ```
 
 This will build an image for a compressed context read from `STDIN`.  Supported
-formats are: bzip2, gzip and xz.
+formats are: `bzip2`, `gzip` and `xz`.
 
 ### Use a .dockerignore file
 
@@ -314,7 +312,6 @@ found, the `.dockerignore` file is used if present. Using a Dockerfile based
 `.dockerignore` is useful if a project contains multiple Dockerfiles that expect
 to ignore different sets of files.
 
-
 ### <a name="tag"></a> Tag an image (-t, --tag)
 
 ```console
@@ -375,12 +372,12 @@ the command line.
 > **Note**
 >
 > `docker build` returns a `no such file or directory` error if the
-> file or directory does not exist in the uploaded context. This may
+> file or directory doesn't exist in the uploaded context. This may
-> happen if there is no context, or if you specify a file that is
+> happen if there is no context, or if you specify a file that's
 > elsewhere on the Host system. The context is limited to the current
 > directory (and its children) for security reasons, and to ensure
 > repeatable builds on remote Docker hosts. This is also the reason why
-> `ADD ../file` does not work.
+> `ADD ../file` doesn't work.
 
 ### <a name="cgroup-parent"></a> Use a custom parent cgroup (--cgroup-parent)
 
@@ -396,7 +393,7 @@ container to be started using those [`--ulimit` flag values](run.md#ulimit).
 
 You can use `ENV` instructions in a Dockerfile to define variable
 values. These values persist in the built image. However, often
-persistence is not what you want. Users want to specify variables differently
+persistence isn't what you want. Users want to specify variables differently
 depending on which host they build an image on.
 
 A good example is `http_proxy` or source versions for pulling intermediate
@@ -410,7 +407,7 @@ $ docker build --build-arg HTTP_PROXY=http://10.20.30.2:1234 --build-arg FTP_PRO
 This flag allows you to pass the build-time variables that are
 accessed like regular environment variables in the `RUN` instruction of the
 Dockerfile. Also, these values don't persist in the intermediate or final images
-like `ENV` values do.   You must add `--build-arg` for each build argument.
+like `ENV` values do. You must add `--build-arg` for each build argument.
 
 Using this flag will not alter the output you see when the `ARG` lines from the
 Dockerfile are echoed during the build process.
@@ -638,15 +635,14 @@ $ docker build --cache-from myname/myapp .
 #### Overview
 
 Once the image is built, squash the new layers into a new image with a single
-new layer. Squashing does not destroy any existing image, rather it creates a new
+new layer. Squashing doesn't destroy any existing image, rather it creates a new
 image with the content of the squashed layers. This effectively makes it look
 like all `Dockerfile` commands were created with a single layer. The build
 cache is preserved with this method.
 
-The `--squash` option is an experimental feature, and should not be considered
+The `--squash` option is an experimental feature, and shouldn't be considered
 stable.
 
-
 Squashing layers can be beneficial if your Dockerfile produces multiple layers
 modifying the same files, for example, files that are created in one step, and
 removed in another step. For other use-cases, squashing images may actually have
@@ -656,15 +652,14 @@ images (saving space).
 
 For most use cases, multi-stage builds are a better alternative, as they give more
 fine-grained control over your build, and can take advantage of future
-optimizations in the builder. Refer to the [use multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/)
+optimizations in the builder. Refer to the [Multi-stage builds](https://docs.docker.com/build/building/multi-stage/)
-section in the userguide for more information.
+section for more information.
-
 
 #### Known limitations
 
 The `--squash` option has a number of known limitations:
 
-- When squashing layers, the resulting image cannot take advantage of layer
+- When squashing layers, the resulting image can't take advantage of layer
   sharing with other images, and may use significantly more space. Sharing the
   base image is still supported.
 - When using this option you may see significantly more space used due to
@@ -672,8 +667,8 @@ The `--squash` option has a number of known limitations:
   layers intact, and one for the squashed version.
 - While squashing layers may produce smaller images, it may have a negative
   impact on performance, as a single layer takes longer to extract, and
-  downloading a single layer cannot be parallelized.
+  downloading a single layer can't be parallelized.
-- When attempting to squash an image that does not make changes to the
+- When attempting to squash an image that doesn't make changes to the
   filesystem (for example, the Dockerfile only contains `ENV` instructions),
   the squash step will fail (see [issue #33823](https://github.com/moby/moby/issues/33823)).
 
@@ -686,7 +681,7 @@ the Docker daemon or setting `experimental: true` in the `daemon.json` configura
 file.
 
 By default, experimental mode is disabled. To see the current configuration of
-the docker daemon, use the `docker version` command and check the `Experimental`
+the Docker daemon, use the `docker version` command and check the `Experimental`
 line in the `Engine` section:
 
 ```console
@@ -711,10 +706,10 @@ Server: Docker Engine - Community
  [...]
 ```
 
-To enable experimental mode, users need to restart the docker daemon with the
+To enable experimental mode, users need to restart the Docker daemon with the
 experimental flag enabled.
 
-#### Enable Docker experimental
+#### Enable experimental features
 
 To enable experimental features, you need to start the Docker daemon with
 `--experimental` flag. You can also enable the daemon flag via
@@ -735,7 +730,7 @@ true
 
 #### Build an image with `--squash` argument
 
-The following is an example of docker build with `--squash` argument
+The following is an example of a build with `--squash` argument
 
 ```dockerfile
 FROM busybox

docs/reference/commandline/checkpoint.md

@@ -18,7 +18,7 @@ Manage checkpoints
 ## Description
 
 Checkpoint and Restore is an experimental feature that allows you to freeze a running
-container by checkpointing it, which turns its state into a collection of files
+container by specifying a checkpoint, which turns the container state into a collection of files
 on disk. Later, the container can be restored from the point it was frozen.
 
 This is accomplished using a tool called [CRIU](https://criu.org), which is an
@@ -29,7 +29,7 @@ checkpoint and restore in Docker is available in this
 ### Installing CRIU
 
 If you use a Debian system, you can add the CRIU PPA and install with `apt-get`
-[from the criu launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa).
+[from the CRIU launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa).
 
 Alternatively, you can [build CRIU from source](https://criu.org/Installation).
 
@@ -91,17 +91,17 @@ abc0123
 ```
 
 This process just logs an incrementing counter to stdout. If you run `docker logs`
-in between running/checkpoint/restoring you should see that the counter
+in-between running/checkpoint/restoring, you should see that the counter
-increases while the process is running, stops while it's checkpointed, and
+increases while the process is running, stops while it's frozen, and
 resumes from the point it left off once you restore.
 
 ### Known limitations
 
-seccomp is only supported by CRIU in very up to date kernels.
+`seccomp` is only supported by CRIU in very up-to-date kernels.
 
-External terminal (i.e. `docker run -t ..`) is not supported at the moment.
+External terminals (i.e. `docker run -t ..`) aren't supported.
 If you try to create a checkpoint for a container with an external terminal,
-it would fail:
+it fails:
 
 ```console
 $ docker checkpoint create cr checkpoint1

docs/reference/commandline/cli.md

@@ -156,7 +156,7 @@ By default, the Docker command line stores its configuration files in a
 directory called `.docker` within your `$HOME` directory.
 
 Docker manages most of the files in the configuration directory
-and you should not modify them. However, you can modify the
+and you shouldn't modify them. However, you can modify the
 `config.json` file to control certain aspects of how the `docker`
 command behaves.
 
@@ -167,7 +167,6 @@ and the `--config` flag are set, the flag takes precedent over the environment
 variable. Command line options override environment variables and environment
 variables override properties you specify in a `config.json` file.
 
-
 ### Change the `.docker` directory
 
 To specify a different directory, use the `DOCKER_CONFIG`
@@ -201,7 +200,7 @@ By default, configuration file is stored in `~/.docker/config.json`. Refer to th
 different location.
 
 > **Warning**
-> 
+>
 > The configuration file and other files inside the `~/.docker` configuration
 > directory may contain sensitive information, such as authentication information
 > for proxies or, depending on your credential store, credentials for your image
@@ -210,38 +209,36 @@ different location.
 
 ### Customize the default output format for commands
 
-These fields allow you to customize the default output format for some commands
+These fields lets you customize the default output format for some commands
 if no `--format` flag is provided.
 
-| Property               | Description                                                                                                                                                                                                              |
+| Property               | Description                                                                                                                                                         |
-|:-----------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| :--------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `configFormat`         | Custom default format for `docker config ls` output. Refer to the [**format the output** section in the `docker config ls` documentation](config_ls.md#format) for a list of supported formatting directives.            |
+| `configFormat`         | Custom default format for `docker config ls` output. See [`docker config ls`](config_ls.md#format) for a list of supported formatting directives.                   |
-| `imagesFormat`         | Custom default format for `docker images` / `docker image ls` output. Refer to the [**format the output** section in the `docker images` documentation](images.md#format) for a list of supported formatting directives. |
+| `imagesFormat`         | Custom default format for `docker images` / `docker image ls` output. See [`docker images`](images.md#format) for a list of supported formatting directives.        |
-| `nodesFormat`          | Custom default format for `docker node ls` output. Refer to the [**formatting** section in the `docker node ls` documentation](node_ls.md#format) for a list of supported formatting directives.                         |
+| `nodesFormat`          | Custom default format for `docker node ls` output. See [`docker node ls`](node_ls.md#format) for a list of supported formatting directives.                         |
-| `pluginsFormat`        | Custom default format for `docker plugin ls` output. Refer to the [**formatting** section in the `docker plugin ls` documentation](plugin_ls.md#format) for a list of supported formatting directives.                   |
+| `pluginsFormat`        | Custom default format for `docker plugin ls` output. See [`docker plugin ls`](plugin_ls.md#format) for a list of supported formatting directives.                   |
-| `psFormat`             | Custom default format for `docker ps` / `docker container ps` output. Refer to the [**formatting** section in the `docker ps` documentation](ps.md#format) for a list of supported formatting directives.                |
+| `psFormat`             | Custom default format for `docker ps` / `docker container ps` output. See [`docker ps`](ps.md#format) for a list of supported formatting directives.                |
-| `secretFormat`         | Custom default format for `docker secret ls` output. Refer to the [**format the output** section in the `docker secret ls` documentation](secret_ls.md#format) for a list of supported formatting directives.            |
+| `secretFormat`         | Custom default format for `docker secret ls` output. See [`docker secret ls`](secret_ls.md#format) for a list of supported formatting directives.                   |
-| `serviceInspectFormat` | Custom default format for `docker service inspect` output. Refer to the [**formatting** section in the `docker service inspect` documentation](service_inspect.md#format) for a list of supported formatting directives. |
+| `serviceInspectFormat` | Custom default format for `docker service inspect` output. See [`docker service inspect`](service_inspect.md#format) for a list of supported formatting directives. |
-| `servicesFormat`       | Custom default format for `docker service ls` output. Refer to the [**formatting** section in the `docker service ls` documentation](service_ls.md#format) for a list of supported formatting directives.                |
+| `servicesFormat`       | Custom default format for `docker service ls` output. See [`docker service ls`](service_ls.md#format) for a list of supported formatting directives.                |
-| `statsFormat`          | Custom default format for `docker stats` output. Refer to the [**formatting** section in the `docker stats` documentation](stats.md#format) for a list of supported formatting directives.                               |
+| `statsFormat`          | Custom default format for `docker stats` output. See [`docker stats`](stats.md#format) for a list of supported formatting directives.                               |
-
 
 ### Custom HTTP headers
 
 The property `HttpHeaders` specifies a set of headers to include in all messages
-sent from the Docker client to the daemon. Docker does not try to interpret or
+sent from the Docker client to the daemon. Docker doesn't try to interpret or
 understand these headers; it simply puts them into the messages. Docker does
 not allow these headers to change any headers it sets for itself.
 
-
 ### Credential store options
 
 The property `credsStore` specifies an external binary to serve as the default
 credential store. When this property is set, `docker login` will attempt to
 store credentials in the binary specified by `docker-credential-<value>` which
-is visible on `$PATH`. If this property is not set, credentials will be stored
+is visible on `$PATH`. If this property isn't set, credentials are stored
-in the `auths` property of the config. For more information, see the
+in the `auths` property of the CLI configuration file. For more information,
-[**Credential stores** section in the `docker login` documentation](login.md#credential-stores)
+see the [**Credential stores** section in the `docker login` documentation](login.md#credential-stores)
 
 The property `credHelpers` specifies a set of credential helpers to use
 preferentially over `credsStore` or `auths` when storing and retrieving
@@ -250,14 +247,13 @@ credentials for specific registries. If this property is set, the binary
 for a specific registry. For more information, see the
 [**Credential helpers** section in the `docker login` documentation](login.md#credential-helpers)
 
-
 ### Automatic proxy configuration for containers
 
 The property `proxies` specifies proxy environment variables to be automatically
 set on containers, and set as `--build-arg` on containers used during `docker build`.
-A `"default"` set of proxies can be configured, and will be used for any docker
+A `"default"` set of proxies can be configured, and will be used for any Docker
-daemon that the client connects to, or a configuration per host (docker daemon),
+daemon that the client connects to, or a configuration per host (Docker daemon),
-for example, "https://docker-daemon1.example.com". The following properties can
+for example, `https://docker-daemon1.example.com`. The following properties can
 be set for each environment:
 
 | Property       | Description                                                                                             |
@@ -274,11 +270,12 @@ used as proxy settings for the `docker` CLI or the `dockerd` daemon. Refer to th
 sections for configuring proxy settings for the cli and daemon.
 
 > **Warning**
-> 
+>
 > Proxy settings may contain sensitive information (for example, if the proxy
 > requires authentication). Environment variables are stored as plain text in
 > the container's configuration, and as such can be inspected through the remote
 > API or committed to an image when using `docker commit`.
+{ .warning }
 
 ### Default key-sequence to detach from containers
 
@@ -292,7 +289,7 @@ a letter [a-Z], or the `ctrl-` combined with any of the following:
 * `@` (at sign)
 * `[` (left bracket)
 * `\\` (two backward slashes)
-*  `_` (underscore)
+* `_` (underscore)
 * `^` (caret)
 
 Your customization applies to all containers started in with your Docker client.
@@ -300,13 +297,12 @@ Users can override your custom or the default key sequence on a per-container
 basis. To do this, the user specifies the `--detach-keys` flag with the `docker
 attach`, `docker exec`, `docker run` or `docker start` command.
 
-### CLI Plugin options
+### CLI plugin options
 
 The property `plugins` contains settings specific to CLI plugins. The
 key is the plugin name, while the value is a further map of options,
 which are specific to that plugin.
 
-
 ### Sample configuration file
 
 Following is a sample `config.json` file to illustrate the format used for
@@ -370,7 +366,7 @@ and require no configuration to enable them.
 
 If using your own notary server and a self-signed certificate or an internal
 Certificate Authority, you need to place the certificate at
-`tls/<registry_url>/ca.crt` in your docker config directory.
+`tls/<registry_url>/ca.crt` in your Docker config directory.
 
 Alternatively you can trust the certificate globally by adding it to your system's
 list of root Certificate Authorities.

docs/reference/commandline/commit.md

@@ -22,21 +22,18 @@ Create a new image from a container's changes
 ## Description
 
 It can be useful to commit a container's file changes or settings into a new
-image. This allows you to debug a container by running an interactive shell, or to
+image. This lets you debug a container by running an interactive shell, or
-export a working dataset to another server. Generally, it is better to use
+export a working dataset to another server.
-Dockerfiles to manage your images in a documented and maintainable way.
-[Read more about valid image names and tags](tag.md).
 
-The commit operation will not include any data contained in
+Commits do not include any data contained in mounted volumes.
-volumes mounted inside the container.
 
 By default, the container being committed and its processes will be paused
 while the image is committed. This reduces the likelihood of encountering data
-corruption during the process of creating the commit.  If this behavior is
+corruption during the process of creating the commit. If this behavior is
 undesired, set the `--pause` option to false.
 
-The `--change` option will apply `Dockerfile` instructions to the image that is
+The `--change` option will apply `Dockerfile` instructions to the image that's
-created.  Supported `Dockerfile` instructions:
+created. Supported `Dockerfile` instructions:
 `CMD`|`ENTRYPOINT`|`ENV`|`EXPOSE`|`LABEL`|`ONBUILD`|`USER`|`VOLUME`|`WORKDIR`
 
 ## Examples

docs/reference/commandline/config_create.md

@@ -21,7 +21,7 @@ For detailed information about using configs, refer to [store configuration data
 
 > **Note**
 >
-> This is a cluster management command, and must be executed on a swarm
+> This is a cluster management command, and must be executed on a Swarm
 > manager node. To learn about managers and workers, refer to the
 > [Swarm mode section](https://docs.docker.com/engine/swarm/) in the
 > documentation.
@@ -88,7 +88,6 @@ $ docker config inspect my_config
 ]
 ```
 
-
 ## Related commands
 
 * [config inspect](config_inspect.md)

docs/reference/commandline/config_inspect.md

@@ -27,7 +27,7 @@ For detailed information about using configs, refer to [store configuration data
 
 > **Note**
 >
-> This is a cluster management command, and must be executed on a swarm
+> This is a cluster management command, and must be executed on a Swarm
 > manager node. To learn about managers and workers, refer to the
 > [Swarm mode section](https://docs.docker.com/engine/swarm/) in the
 > documentation.
@@ -86,7 +86,6 @@ $ docker config inspect --format='{{.CreatedAt}}' eo7jnzguqgtpdah3cm5srfb97
 2017-03-24 08:15:09.735271783 +0000 UTC
 ```
 
-
 ## Related commands
 
 * [config create](config_create.md)

docs/reference/commandline/config_ls.md

@@ -20,13 +20,13 @@ List configs
 
 ## Description
 
-Run this command on a manager node to list the configs in the swarm.
+Run this command on a manager node to list the configs in the Swarm.
 
 For detailed information about using configs, refer to [store configuration data using Docker Configs](https://docs.docker.com/engine/swarm/configs/).
 
 > **Note**
 >
-> This is a cluster management command, and must be executed on a swarm
+> This is a cluster management command, and must be executed on a Swarm
 > manager node. To learn about managers and workers, refer to the
 > [Swarm mode section](https://docs.docker.com/engine/swarm/) in the
 > documentation.

docs/reference/commandline/config_rm.md

@@ -12,13 +12,13 @@ Remove one or more configs
 
 ## Description
 
-Removes the specified configs from the swarm.
+Removes the specified configs from the Swarm.
 
 For detailed information about using configs, refer to [store configuration data using Docker Configs](https://docs.docker.com/engine/swarm/configs/).
 
 > **Note**
 >
-> This is a cluster management command, and must be executed on a swarm
+> This is a cluster management command, and must be executed on a Swarm
 > manager node. To learn about managers and workers, refer to the
 > [Swarm mode section](https://docs.docker.com/engine/swarm/) in the
 > documentation.
@@ -34,9 +34,8 @@ sapth4csdo5b6wz2p5uimh5xg
 
 > **Warning**
 >
-> Unlike `docker rm`, this command does not ask for confirmation before removing
+> This command doesn't ask for confirmation before removing a config.
-> a config.
+{ .warning }
-
 
 ## Related commands
 

docs/reference/commandline/container_prune.md

@@ -48,7 +48,7 @@ relative to the daemon machine’s time. Supported formats for date
 formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
 `2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
 timezone on the daemon will be used if you do not provide either a `Z` or a
-`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
 timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
 that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
 seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a

docs/reference/commandline/context_create.md

@@ -31,16 +31,16 @@ $ docker context create my-context --description "some description" --docker "ho
 
 ## Description
 
-Creates a new `context`. This allows you to quickly switch the cli
+Creates a new `context`. This lets you switch the daemon your `docker` CLI
-configuration to connect to different clusters or single nodes.
+connects to.
 
 ## Examples
 
-### <a name="docker"></a> Create a context with a docker endpoint (--docker)
+### <a name="docker"></a> Create a context with a Docker endpoint (--docker)
 
-To create a context from scratch provide the docker and, if required,
+Use the `--docker` flag to create a context with a custom endpoint. The
-kubernetes options. The example below creates the context `my-context`
+following example creates a context named `my-context` with a docker endpoint
-with a docker endpoint of `/var/run/docker.sock`:
+of `/var/run/docker.sock`:
 
 ```console
 $ docker context create \
@@ -58,7 +58,7 @@ from the existing context `existing-context`:
 $ docker context create --from existing-context my-context
 ```
 
-If the `--from` option is not set, the `context` is created from the current context:
+If the `--from` option isn't set, the `context` is created from the current context:
 
 ```console
 $ docker context create my-context

docs/reference/commandline/context_use.md

@@ -9,5 +9,5 @@ Set the current docker context
 ## Description
 
 Set the default context to use, when `DOCKER_HOST`, `DOCKER_CONTEXT` environment
-variables and `--host`, `--context` global options are not set.
+variables and `--host`, `--context` global options aren't set.
 To disable usage of contexts, you can use the special `default` context.

docs/reference/commandline/cp.md

@@ -48,8 +48,8 @@ machine are created with the `UID:GID` of the user which invoked the `docker cp`
 command. However, if you specify the `-a` option, `docker cp` sets the ownership
 to the user and primary group at the source.
 If you specify the `-L` option, `docker cp` follows any symbolic link
-in the `SRC_PATH`.  `docker cp` does *not* create parent directories for
+in the `SRC_PATH`.  `docker cp` doesn't create parent directories for
-`DEST_PATH` if they do not exist.
+`DEST_PATH` if they don't exist.
 
 Assuming a path separator of `/`, a first argument of `SRC_PATH` and second
 argument of `DEST_PATH`, the behavior is as follows:
@@ -111,7 +111,7 @@ $ docker cp CONTAINER:/var/logs/app.log - | tar x -O | grep "ERROR"
 
 ### Corner cases
 
-It is not possible to copy certain system files such as resources under
+It isn't possible to copy certain system files such as resources under
 `/proc`, `/sys`, `/dev`, [tmpfs](run.md#tmpfs), and mounts created by
 the user in the container. However, you can still copy such files by manually
 running `tar` in `docker exec`. Both of the following examples do the same thing

docs/reference/commandline/create.md

@@ -120,14 +120,14 @@ Create a new container
 The `docker container create` (or shorthand: `docker create`) command creates a
 new container from the specified image, without starting it.
 
-When creating a container, the docker daemon creates a writeable container layer
+When creating a container, the Docker daemon creates a writeable container layer
-over the specified image and prepares it for running the specified command.  The
+over the specified image and prepares it for running the specified command. The
-container ID is then printed to `STDOUT`.  This is similar to `docker run -d`
+container ID is then printed to `STDOUT`. This is similar to `docker run -d`
 except the container is never started. You can then use the `docker container start`
 (or shorthand: `docker start`) command to start the container at any point.
 
 This is useful when you want to set up a container configuration ahead of time
-so that it is ready to start when you need it. The initial status of the
+so that it's ready to start when you need it. The initial status of the
 new container is `created`.
 
 The `docker create` command shares most of its options with the `docker run`

docs/reference/commandline/dockerd.md

@@ -124,7 +124,7 @@ To run the daemon with debug output, use `dockerd --debug` or add `"debug": true
 to [the `daemon.json` file](#daemon-configuration-file).
 
 > **Enabling experimental features**
-> 
+>
 > Enable experimental features by starting `dockerd` with the `--experimental`
 > flag or adding `"experimental": true` to the `daemon.json` file.
 
@@ -137,7 +137,7 @@ by the `dockerd` command line:
 |:--------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `DOCKER_CERT_PATH`  | Location of your authentication keys. This variable is used both by the [`docker` CLI](cli.md) and the `dockerd` daemon.                                                          |
 | `DOCKER_DRIVER`     | The storage driver to use.                                                                                                                                                        |
-| `DOCKER_RAMDISK`    | If set this disables 'pivot_root'.                                                                                                                                                |
+| `DOCKER_RAMDISK`    | If set this disables `pivot_root`.                                                                                                                                                |
 | `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the  [`docker` CLI](cli.md) and the `dockerd` daemon.                                             |
 | `DOCKER_TMPDIR`     | Location for temporary files created by the daemon.                                                                                                                               |
 | `HTTP_PROXY`        | Proxy URL for HTTP requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details.                      |
@@ -150,7 +150,7 @@ by the `dockerd` command line:
 ### Proxy configuration
 
 > **Note**
-> 
+>
 > Refer to the [Docker Desktop manual](https://docs.docker.com/desktop/networking/#httphttps-proxy-support)
 > if you are running [Docker Desktop](https://docs.docker.com/desktop/).
 
@@ -160,10 +160,10 @@ operations such as pulling and pushing images. The daemon can be configured
 in three ways:
 
 1. Using environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`).
-2. Using the "http-proxy", "https-proxy", and "no-proxy" fields in the
+2. Using the `http-proxy`, `https-proxy`, and `no-proxy` fields in the
-  [daemon configuration file](#daemon-configuration-file) (Docker Engine 23.0 or newer).
+   [daemon configuration file](#daemon-configuration-file) (Docker Engine version 23.0 or later).
 3. Using the `--http-proxy`, `--https-proxy`, and `--no-proxy` command-line
-  options. (Docker Engine 23.0 or newer).
+   options. (Docker Engine version 23.0 or later).
 
 The command-line and configuration file options take precedence over environment
 variables. Refer to [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
@@ -178,11 +178,11 @@ By default, a `unix` domain socket (or IPC socket) is created at
 `/var/run/docker.sock`, requiring either `root` permission, or `docker` group
 membership.
 
-If you need to access the Docker daemon remotely, you need to enable the `tcp`
+If you need to access the Docker daemon remotely, you need to enable the tcp
-Socket. Beware that the default setup provides un-encrypted and
+Socket. When using a TCP socket, the Docker daemon provides un-encrypted and
-un-authenticated direct access to the Docker daemon - and should be secured
+un-authenticated direct access to the Docker daemon by default. You should secure
-either using the [built in HTTPS encrypted socket](https://docs.docker.com/engine/security/https/), or by
+the daemon either using the [built in HTTPS encrypted socket](https://docs.docker.com/engine/security/protect-access/),
-putting a secure web proxy in front of it. You can listen on port `2375` on all
+or by putting a secure web proxy in front of it. You can listen on port `2375` on all
 network interfaces with `-H tcp://0.0.0.0:2375`, or on a particular network
 interface using its IP address: `-H tcp://192.168.59.103:2375`. It is
 conventional to use port `2375` for un-encrypted, and port `2376` for encrypted
@@ -191,28 +191,28 @@ communication with the daemon.
 > **Note**
 >
 > If you're using an HTTPS encrypted socket, keep in mind that only
-> TLS1.0 and greater are supported. Protocols SSLv3 and under are not
+> TLS version 1.0 and higher is supported. Protocols SSLv3 and below are not
-> supported anymore for security reasons.
+> supported for security reasons.
 
-On Systemd based systems, you can communicate with the daemon via
+On systemd based systems, you can communicate with the daemon via
-[Systemd socket activation](https://0pointer.de/blog/projects/socket-activation.html),
+[systemd socket activation](https://0pointer.de/blog/projects/socket-activation.html),
-use `dockerd -H fd://`. Using `fd://` will work perfectly for most setups but
+with `dockerd -H fd://`. Using `fd://` works for most setups, but
 you can also specify individual sockets: `dockerd -H fd://3`. If the
-specified socket activated files aren't found, then Docker will exit. You can
+specified socket activated files aren't found, the daemon exits. You can
-find examples of using Systemd socket activation with Docker and Systemd in the
+find examples of using systemd socket activation with Docker and systemd in the
 [Docker source tree](https://github.com/docker/docker/tree/master/contrib/init/systemd/).
 
 You can configure the Docker daemon to listen to multiple sockets at the same
 time using multiple `-H` options:
 
-The example below runs the daemon listening on the default unix socket, and
+The example below runs the daemon listening on the default Unix socket, and
 on 2 specific IP addresses on this host:
 
 ```console
 $ sudo dockerd -H unix:///var/run/docker.sock -H tcp://192.168.59.106 -H tcp://10.10.10.2
 ```
 
-The Docker client will honor the `DOCKER_HOST` environment variable to set the
+The Docker client honors the `DOCKER_HOST` environment variable to set the
 `-H` flag for the client. Use **one** of the following commands:
 
 ```console
@@ -236,7 +236,7 @@ $ export DOCKER_TLS_VERIFY=1
 $ docker ps
 ```
 
-The Docker client will honor the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
+The Docker client honors the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
 environment variables (or the lowercase versions thereof). `HTTPS_PROXY` takes
 precedence over `HTTP_PROXY`.
 
@@ -258,29 +258,28 @@ supported. If your key is protected with passphrase, you need to set up
 
 > **Warning**
 >
-> Changing the default `docker` daemon binding to a
+> Changing the default `docker` daemon binding to a TCP port or Unix `docker`
-> TCP port or Unix *docker* user group will increase your security risks
+> user group introduces security risks, as it may allow non-root users to gain
-> by allowing non-root users to gain *root* access on the host. Make sure
+> root access on the host. Make sure you control access to `docker`. If you are
-> you control access to `docker`. If you are binding
+> binding to a TCP port, anyone with access to that port has full Docker
-> to a TCP port, anyone with access to that port has full Docker access;
+> access; so it's not advisable on an open network.
-> so it is not advisable on an open network.
+{ .warning }
-{: .warning :}
 
-With `-H` it is possible to make the Docker daemon to listen on a
+With `-H` it's possible to make the Docker daemon to listen on a specific IP
-specific IP and port. By default, it will listen on
+and port. By default, it listens on `unix:///var/run/docker.sock` to allow
-`unix:///var/run/docker.sock` to allow only local connections by the
+only local connections by the root user. You could set it to `0.0.0.0:2375` or
-*root* user. You *could* set it to `0.0.0.0:2375` or a specific host IP
+a specific host IP to give access to everybody, but that isn't recommended
-to give access to everybody, but that is **not recommended** because
+because someone could gain root access to the host where the daemon is running.
-then it is trivial for someone to gain root access to the host where the
-daemon is running.
 
 Similarly, the Docker client can use `-H` to connect to a custom port.
-The Docker client will default to connecting to `unix:///var/run/docker.sock`
+The Docker client defaults to connecting to `unix:///var/run/docker.sock`
 on Linux, and `tcp://127.0.0.1:2376` on Windows.
 
 `-H` accepts host and port assignment in the following format:
 
-    tcp://[host]:[port][path] or unix://path
+```text
+tcp://[host]:[port][path] or unix://path
+```
 
 For example:
 
@@ -293,7 +292,7 @@ For example:
 -   `unix://path/to/socket` -> Unix socket located
     at `path/to/socket`
 
-`-H`, when empty, will default to the same value as
+`-H`, when empty, defaults to the same value as
 when no `-H` was passed in.
 
 `-H` also accepts short form for TCP bindings: `host:` or `host:port` or `:port`
@@ -344,9 +343,8 @@ Particular storage-driver can be configured with options specified with
 
 ##### `zfs.fsname`
 
-Set zfs filesystem under which docker will create its own datasets.
+Specifies the ZFS filesystem that the daemon should use to create its datasets.
-By default docker will pick up the zfs filesystem where docker graph
+By default, the ZFS filesystem in `/var/lib/docker` is used.
-(`/var/lib/docker`) is located.
 
 ###### Example
 
@@ -360,8 +358,8 @@ $ sudo dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
 
 Specifies the minimum size to use when creating the subvolume which is used
 for containers. If user uses disk quota for btrfs when creating or running
-a container with **--storage-opt size** option, docker should ensure the
+a container with **--storage-opt size** option, Docker should ensure the
-**size** cannot be smaller than **btrfs.min_space**.
+**size** can't be smaller than **btrfs.min_space**.
 
 ###### Example
 
@@ -374,8 +372,8 @@ $ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G
 ##### `overlay2.size`
 
 Sets the default max size of the container. It is supported only when the
-backing fs is `xfs` and mounted with `pquota` mount option. Under these
+backing filesystem is `xfs` and mounted with `pquota` mount option. Under these
-conditions the user can pass any size less than the backing fs size.
+conditions the user can pass any size less than the backing filesystem size.
 
 ###### Example
 
@@ -687,7 +685,7 @@ To set the DNS search domain for all Docker containers, use:
 $ sudo dockerd --dns-search example.com
 ```
 
-### Allow push of nondistributable artifacts
+### Allow push of non-distributable artifacts
 
 Some images (e.g., Windows base images) contain artifacts whose distribution is
 restricted by license. When these images are pushed to a registry, restricted
@@ -697,38 +695,41 @@ To override this behavior for specific registries, use the
 `--allow-nondistributable-artifacts` option in one of the following forms:
 
 * `--allow-nondistributable-artifacts myregistry:5000` tells the Docker daemon
-  to push nondistributable artifacts to myregistry:5000.
+  to push non-distributable artifacts to myregistry:5000.
 * `--allow-nondistributable-artifacts 10.1.0.0/16` tells the Docker daemon to
-  push nondistributable artifacts to all registries whose resolved IP address
+  push non-distributable artifacts to all registries whose resolved IP address
   is within the subnet described by the CIDR syntax.
 
 This option can be used multiple times.
 
-This option is useful when pushing images containing nondistributable artifacts
+This option is useful when pushing images containing non-distributable artifacts
 to a registry on an air-gapped network so hosts on that network can pull the
 images without connecting to another server.
 
-> **Warning**: Nondistributable artifacts typically have restrictions on how
+> **Warning**
+>
+> Non-distributable artifacts typically have restrictions on how
 > and where they can be distributed and shared. Only use this feature to push
 > artifacts to private registries and ensure that you are in compliance with
-> any terms that cover redistributing nondistributable artifacts.
+> any terms that cover redistributing non-distributable artifacts.
+{ .warning }
 
 ### Insecure registries
 
-Docker considers a private registry either secure or insecure. In the rest of
+In this section, "registry" refers to a private registry, and `myregistry:5000`
-this section, *registry* is used for *private registry*, and `myregistry:5000`
+is a placeholder example of a private registry.
-is a placeholder example for a private registry.
 
+Docker considers a private registry either secure or insecure.
 A secure registry uses TLS and a copy of its CA certificate is placed on the
 Docker host at `/etc/docker/certs.d/myregistry:5000/ca.crt`. An insecure
 registry is either not using TLS (i.e., listening on plain text HTTP), or is
 using TLS with a CA certificate not known by the Docker daemon. The latter can
-happen when the certificate was not found under
+happen when the certificate wasn't found under
 `/etc/docker/certs.d/myregistry:5000/`, or if the certificate verification
 failed (i.e., wrong CA).
 
-By default, Docker assumes all, but local (see local registries below),
+By default, Docker assumes all registries to be secure, except for local registries.
-registries are secure. Communicating with an insecure registry is not possible
+Communicating with an insecure registry isn't possible
 if Docker assumes that registry is secure. In order to communicate with an
 insecure registry, the Docker daemon requires `--insecure-registry` in one of
 the following two forms:
@@ -742,34 +743,33 @@ the following two forms:
 The flag can be used multiple times to allow multiple registries to be marked
 as insecure.
 
-If an insecure registry is not marked as insecure, `docker pull`,
+If an insecure registry isn't marked as insecure, `docker pull`,
-`docker push`, and `docker search` will result in an error message prompting
+`docker push`, and `docker search` result in error messages, prompting
 the user to either secure or pass the `--insecure-registry` flag to the Docker
 daemon as described above.
 
 Local registries, whose IP address falls in the 127.0.0.0/8 range, are
-automatically marked as insecure as of Docker 1.3.2. It is not recommended to
+automatically marked as insecure as of Docker 1.3.2. It isn't recommended to
 rely on this, as it may change in the future.
 
 Enabling `--insecure-registry`, i.e., allowing un-encrypted and/or untrusted
-communication, can be useful when running a local registry.  However,
+communication, can be useful when running a local registry. However,
-because its use creates security vulnerabilities it should ONLY be enabled for
+because its use creates security vulnerabilities it should only be enabled for
-testing purposes.  For increased security, users should add their CA to their
+testing purposes. For increased security, users should add their CA to their
 system's list of trusted CAs instead of enabling `--insecure-registry`.
 
 #### Legacy Registries
 
 Operations against registries supporting only the legacy v1 protocol are no longer
-supported. Specifically, the daemon will not attempt `push`, `pull` and `login`
+supported. Specifically, the daemon doesn't attempt to push, pull or sign in
 to v1 registries. The exception to this is `search` which can still be performed
 on v1 registries.
 
-
 ### Running a Docker daemon behind an HTTPS_PROXY
 
-When running inside a LAN that uses an `HTTPS` proxy, the Docker Hub
+When running inside a LAN that uses an `HTTPS` proxy, the proxy's certificates
-certificates will be replaced by the proxy's certificates. These certificates
+replace Docker Hub's certificates. These certificates must be added to your
-need to be added to your Docker host's configuration:
+Docker host's configuration:
 
 1. Install the `ca-certificates` package for your distribution
 2. Ask your network admin for the proxy's CA certificate and append them to
@@ -778,21 +778,20 @@ need to be added to your Docker host's configuration:
    The `username:` and `password@` are optional - and are only needed if your
    proxy is set up to require authentication.
 
-This will only add the proxy and authentication to the Docker daemon's requests -
+This only adds the proxy and authentication to the Docker daemon's requests.
-your `docker build`s and running containers will need extra configuration to
+To use the proxy when building images and running containers, see
-use the proxy
+[Configure Docker to use a proxy server](https://docs.docker.com/network/proxy/)
 
 ### Default `ulimit` settings
 
-`--default-ulimit` allows you to set the default `ulimit` options to use for
+The `--default-ulimit` flag lets you set the default `ulimit` options to use for
 all containers. It takes the same options as `--ulimit` for `docker run`. If
-these defaults are not set, `ulimit` settings will be inherited, if not set on
+these defaults aren't set, `ulimit` settings are inherited from the Docker daemon.
-`docker run`, from the Docker daemon. Any `--ulimit` options passed to
+Any `--ulimit` options passed to `docker run` override the daemon defaults.
-`docker run` will overwrite these defaults.
 
-Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to
+Be careful setting `nproc` with the `ulimit` flag, as `nproc` is designed by Linux to
-set the maximum number of processes available to a user, not to a container. For details
+set the maximum number of processes available to a user, not to a container.
-please check the [run](run.md) reference.
+For details, see [`docker run` reference](run.md#ulimit).
 
 ### Access authorization
 
@@ -818,17 +817,16 @@ allow the request for it to complete.
 For information about how to create an authorization plugin, refer to the
 [authorization plugin](../../extend/plugins_authorization.md) section.
 
-
 ### Daemon user namespace options
 
 The Linux kernel
 [user namespace support](https://man7.org/linux/man-pages/man7/user_namespaces.7.html)
 provides additional security by enabling a process, and therefore a container,
 to have a unique range of user and group IDs which are outside the traditional
-user and group range utilized by the host system. Potentially the most important
+user and group range utilized by the host system. One of the most important
-security improvement is that, by default, container processes running as the
+security improvements is that, by default, container processes running as the
-`root` user will have expected administrative privilege (with some restrictions)
+`root` user have expected administrative privileges it expects (with some restrictions)
-inside the container but will effectively be mapped to an unprivileged `uid` on
+inside the container, but are effectively mapped to an unprivileged `uid` on
 the host.
 
 For details about how to use this feature, as well as limitations, see
@@ -856,29 +854,23 @@ PING host.docker.internal (192.0.2.0): 56 data bytes
 ### Miscellaneous options
 
 IP masquerading uses address translation to allow containers without a public
-IP to talk to other machines on the Internet. This may interfere with some
+IP to talk to other machines on the internet. This may interfere with some
-network topologies and can be disabled with `--ip-masq=false`.
+network topologies, and can be disabled with `--ip-masq=false`.
 
-Docker supports softlinks for the Docker data directory (`/var/lib/docker`) and
+Docker supports soft links for the Docker data directory (`/var/lib/docker`) and
 for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be
 set like this:
 
-```console
-$ DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/dockerd --data-root /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
-```
-
-or
-
 ```console
 $ export DOCKER_TMPDIR=/mnt/disk2/tmp
-$ /usr/local/bin/dockerd --data-root /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
+$ sudo -E dockerd --data-root /var/lib/docker -H unix://
 ````
 
 #### Default cgroup parent
 
-The `--cgroup-parent` option allows you to set the default cgroup parent
+The `--cgroup-parent` option lets you set the default cgroup parent
-to use for containers. If this option is not set, it defaults to `/docker` for
+for containers. If this option isn't set, it defaults to `/docker` for
-fs cgroup driver and `system.slice` for systemd cgroup driver.
+the cgroupfs driver, and `system.slice` for the systemd cgroup driver.
 
 If the cgroup has a leading forward slash (`/`), the cgroup is created
 under the root cgroup, otherwise the cgroup is created under the daemon
@@ -889,7 +881,7 @@ Assuming the daemon is running in cgroup `daemoncgroup`,
 `/sys/fs/cgroup/memory/foobar`, whereas using `--cgroup-parent=foobar`
 creates the cgroup in `/sys/fs/cgroup/memory/daemoncgroup/foobar`
 
-The systemd cgroup driver has different rules for `--cgroup-parent`. Systemd
+The systemd cgroup driver has different rules for `--cgroup-parent`. systemd
 represents hierarchy by slice and the name of the slice encodes the location in
 the tree. So `--cgroup-parent` for systemd cgroups should be a slice name. A
 name can consist of a dash-separated series of names, which describes the path
@@ -903,7 +895,7 @@ the `--cgroup-parent` option on the daemon.
 
 #### Daemon metrics
 
-The `--metrics-addr` option takes a tcp address to serve the metrics API.
+The `--metrics-addr` option takes a TCP address to serve the metrics API.
 This feature is still experimental, therefore, the daemon must be running in experimental
 mode for this feature to work.
 
@@ -913,34 +905,24 @@ allowing you to make requests on the API at `127.0.0.1:9323/metrics` to receive
 
 Port `9323` is the [default port associated with Docker
 metrics](https://github.com/prometheus/prometheus/wiki/Default-port-allocations)
-to avoid collisions with other prometheus exporters and services.
+to avoid collisions with other Prometheus exporters and services.
 
-If you are running a prometheus server you can add this address to your scrape configs
+If you are running a Prometheus server you can add this address to your scrape configs
-to have prometheus collect metrics on Docker.  For more information
+to have Prometheus collect metrics on Docker. For more information, see
-on prometheus refer to the [prometheus website](https://prometheus.io/).
+[Collect Docker metrics with Prometheus](https://docs.docker.com/config/daemon/prometheus/).
 
-```yaml
+#### Node generic resources
-scrape_configs:
-  - job_name: 'docker'
-    static_configs:
-      - targets: ['127.0.0.1:9323']
-```
-
-Please note that this feature is still marked as experimental as metrics and metric
-names could change while this feature is still in experimental.  Please provide
-feedback on what you would like to see collected in the API.
-
-#### Node Generic Resources
 
 The `--node-generic-resources` option takes a list of key-value
 pair (`key=value`) that allows you to advertise user defined resources
-in a swarm cluster.
+in a Swarm cluster.
 
 The current expected use case is to advertise NVIDIA GPUs so that services
 requesting `NVIDIA-GPU=[0-16]` can land on a node that has enough GPUs for
 the task to run.
 
 Example of usage:
+
 ```json
 {
   "node-generic-resources": [
@@ -958,8 +940,8 @@ except for flags that allow several entries, where it uses the plural
 of the flag name, e.g., `labels` for the `label` flag.
 
 The options set in the configuration file must not conflict with options set
-via flags. The docker daemon fails to start if an option is duplicated between
+using flags. The Docker daemon fails to start if an option is duplicated between
-the file and the flags, regardless of their value. We do this to avoid
+the file and the flags, regardless of their value. This is intentional, and avoids
 silently ignore changes introduced in configuration reloads.
 For example, the daemon fails to start if you set daemon labels
 in the configuration file and also set daemon labels via the `--label` flag.
@@ -983,14 +965,13 @@ $ echo $?
 1
 ```
 
-
 ##### On Linux
 
 The default location of the configuration file on Linux is
-`/etc/docker/daemon.json`. The `--config-file` flag can be used to specify a
+`/etc/docker/daemon.json`. Use the `--config-file` flag to specify a
- non-default location.
+non-default location.
 
-This is a full example of the allowed configuration options on Linux:
+The following is a full example of the allowed configuration options on Linux:
 
 ```json
 {
@@ -1109,22 +1090,22 @@ This is a full example of the allowed configuration options on Linux:
 }
 ```
 
-> **Note:**
+> **Note**
 >
-> You cannot set options in `daemon.json` that have already been set on
+> You can't set options in `daemon.json` that have already been set on
 > daemon startup as a flag.
-> On systems that use `systemd` to start the Docker daemon, `-H` is already set, so
+> On systems that use systemd to start the Docker daemon, `-H` is already set, so
-> you cannot use the `hosts` key in `daemon.json` to add listening addresses.
+> you can't use the `hosts` key in `daemon.json` to add listening addresses.
-> See ["custom Docker daemon options"](https://docs.docker.com/config/daemon/systemd/#custom-docker-daemon-options) for how
+> See [custom Docker daemon options](https://docs.docker.com/config/daemon/systemd/#custom-docker-daemon-options)
-> to accomplish this task with a systemd drop-in file.
+> for an example on how to configure the daemon using systemd drop-in files.
 
 ##### On Windows
 
 The default location of the configuration file on Windows is
- `%programdata%\docker\config\daemon.json`. The `--config-file` flag can be
+`%programdata%\docker\config\daemon.json`. Use the `--config-file` flag
- used to specify a non-default location.
+to specify a non-default location.
 
-This is a full example of the allowed configuration options on Windows:
+The following is a full example of the allowed configuration options on Windows:
 
 ```json
 {
@@ -1170,7 +1151,8 @@ This is a full example of the allowed configuration options on Windows:
 }
 ```
 
-The `default-runtime` option is by default unset, in which case dockerd will auto-detect the runtime. This detection is currently based on if the `containerd` flag is set.
+The `default-runtime` option is by default unset, in which case dockerd automatically detects the runtime.
+This detection is based on if the `containerd` flag is set.
 
 Accepted values:
 
@@ -1178,60 +1160,69 @@ Accepted values:
 - `io.containerd.runhcs.v1` - This is uses the containerd `runhcs` shim to run the container and uses the v2 HCS API's in Windows.
 
 #### Feature options
-The optional field `features` in `daemon.json` allows users to enable or disable specific
-daemon features. For example, `{"features":{"buildkit": true}}` enables `buildkit` as the
-default docker image builder.
 
-The list of currently supported feature options:
+The optional field `features` in `daemon.json` lets you enable or disable specific
-- `buildkit`: It enables `buildkit` as default builder when set to `true` or disables it by
+daemon features.
-`false`. Note that if this option is not explicitly set in the daemon config file, then it
+
-is up to the cli to determine which builder to invoke.
+```json
+{
+  "features": {
+    "some-feature": true,
+    "some-disabled-feature-enabled-by-default": false
+  }
+}
+```
+
+The list of feature options include:
+
+- `containerd-snapshotter`: when set to `true`, the daemon uses containerd
+  snapshotters instead of the classic storage drivers for storing image and
+  container data. For more information, see
+  [containerd storage](https://docs.docker.com/storage/containerd/).
 
 #### Configuration reload behavior
 
 Some options can be reconfigured when the daemon is running without requiring
-to restart the process. We use the `SIGHUP` signal in Linux to reload, and a global event
+to restart the process. The daemon uses the `SIGHUP` signal in Linux to reload,
-in Windows with the key `Global\docker-daemon-config-$PID`. The options can
+and a global event in Windows with the key `Global\docker-daemon-config-$PID`.
-be modified in the configuration file but still will check for conflicts with
+You can modify the options in the configuration file, but the daemon still
-the provided flags. The daemon fails to reconfigure itself
+checks for conflicting settings with the specified CLI flags. The daemon fails
-if there are conflicts, but it won't stop execution.
+to reconfigure itself if there are conflicts, but it won't stop execution.
 
 The list of currently supported options that can be reconfigured is this:
 
-- `debug`: it changes the daemon to debug mode when set to true.
+| Option                             | Description                                                                                                 |
-- `labels`: it replaces the daemon labels with a new set of labels.
+| ---------------------------------- | ----------------------------------------------------------------------------------------------------------- |
-- `live-restore`: Enables [keeping containers alive during daemon downtime](https://docs.docker.com/config/containers/live-restore/).
+| `debug`                            | Toggles debug mode of the daemon.                                                                           |
-- `max-concurrent-downloads`: it updates the max concurrent downloads for each pull.
+| `labels`                           | Replaces the daemon labels with a new set of labels.                                                        |
-- `max-concurrent-uploads`: it updates the max concurrent uploads for each push.
+| `live-restore`                     | Toggles [live restore](https://docs.docker.com/config/containers/live-restore/).                            |
-- `max-download-attempts`: it updates the max download attempts for each pull.
+| `max-concurrent-downloads`         | Configures the max concurrent downloads for each pull.                                                      |
-- `default-runtime`: it updates the runtime to be used if not is
+| `max-concurrent-uploads`           | Configures the max concurrent uploads for each push.                                                        |
-  specified at container creation. It defaults to "default" which is
+| `max-download-attempts`            | Configures the max download attempts for each pull.                                                         |
-  the runtime shipped with the official docker packages.
+| `default-runtime`                  | Configures the runtime to be used if not is specified at container creation.                                |
-- `runtimes`: it updates the list of available OCI runtimes that can
+| `runtimes`                         | Configures the list of available OCI runtimes that can be used to run containers.                           |
-  be used to run containers.
+| `authorization-plugin`             | Specifies the authorization plugins to use.                                                                 |
-- `authorization-plugin`: it specifies the authorization plugins to use.
+| `allow-nondistributable-artifacts` | Specifies a list of registries to which the daemon will push non-distributable artifacts.                   |
-- `allow-nondistributable-artifacts`: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries.
+| `insecure-registries`              | Specifies a list of registries that the daemon should consider insecure.                                    |
-- `insecure-registries`: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon's configuration are not in newly reloaded insecure registries, these existing ones will be removed from daemon's config.
+| `registry-mirrors`                 | Specifies a list of registry mirrors.                                                                       |
-- `registry-mirrors`: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon's configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon's config.
+| `shutdown-timeout`                 | Configures the daemon's existing configuration timeout with a new timeout for shutting down all containers. |
-- `shutdown-timeout`: it replaces the daemon's existing configuration timeout with a new timeout for shutting down all containers.
+| `features`                         | Enables or disables specific features.                                                                      |
-- `features`: it explicitly enables or disables specific features.
 
 ### Run multiple daemons
 
-> **Note:**
+> **Note**
 >
-> Running multiple daemons on a single host is considered as "experimental". The user should be aware of
+> Running multiple daemons on a single host is considered experimental.
-> unsolved problems. This solution may not work properly in some cases. Solutions are currently under development
+> You may encounter unsolved problems, and things may not work as expected in some cases.
-> and will be delivered in the near future.
 
 This section describes how to run multiple Docker daemons on a single host. To
-run multiple daemons, you must configure each daemon so that it does not
+run multiple daemons, you must configure each daemon so that it doesn't
 conflict with other daemons on the same host. You can set these options either
 by providing them as flags, or by using a [daemon configuration file](#daemon-configuration-file).
 
 The following daemon options must be configured for each daemon:
 
-```console
+```text
 -b, --bridge=                          Attach containers to a network bridge
 --exec-root=/var/run/docker            Root of the Docker execdriver
 --data-root=/var/lib/docker            Root of persisted Docker data
@@ -1245,30 +1236,32 @@ The following daemon options must be configured for each daemon:
 ```
 
 When your daemons use different values for these flags, you can run them on the same host without any problems.
-It is very important to properly understand the meaning of those options and to use them correctly.
+It is important that you understand the meaning of these options and to use them correctly.
 
-- The `-b, --bridge=` flag is set to `docker0` as default bridge network. It is created automatically when you install Docker.
+- The `-b, --bridge=` flag is set to `docker0` as default bridge network.
-If you are not using the default, you must create and configure the bridge manually or just set it to 'none': `--bridge=none`
+  It is created automatically when you install Docker.
-- `--exec-root` is the path where the container state is stored. The default value is `/var/run/docker`. Specify the path for
+  If you aren't using the default, you must create and configure the bridge manually, or set it to 'none': `--bridge=none`
-your running daemon here.
+- `--exec-root` is the path where the container state is stored.
+  The default value is `/var/run/docker`.
+  Specify the path for your running daemon here.
 - `--data-root` is the path where persisted data such as images, volumes, and
-cluster state are stored. The default value is `/var/lib/docker`. To avoid any
+  cluster state are stored. The default value is `/var/lib/docker`. To avoid any
-conflict with other daemons, set this parameter separately for each daemon.
+  conflict with other daemons, set this parameter separately for each daemon.
-- `-p, --pidfile=/var/run/docker.pid` is the path where the process ID of the daemon is stored. Specify the path for your
+- `-p, --pidfile=/var/run/docker.pid` is the path where the process ID of the daemon is stored.
-pid file here.
+  Specify the path for your PID file here.
-- `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
+- `--host=[]` specifies where the Docker daemon listens for client connections.
--  `--iptables=false` prevents the Docker daemon from adding iptables rules. If
+  If unspecified, it defaults to `/var/run/docker.sock`.
-multiple daemons manage iptables rules, they may overwrite rules set by another
+- `--iptables=false` prevents the Docker daemon from adding iptables rules. If
-daemon. Be aware that disabling this option requires you to manually add
+  multiple daemons manage iptables rules, they may overwrite rules set by another
-iptables rules to expose container ports. If you prevent Docker from adding
+  daemon. Be aware that disabling this option requires you to manually add
-iptables rules, Docker will also not add IP masquerading rules, even if you set
+  iptables rules to expose container ports. If you prevent Docker from adding
-`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+  iptables rules, Docker also doesn't add IP masquerading rules, even if you set
-able to connect to external hosts or the internet when using network other than
+  `--ip-masq` to `true`. Without IP masquerading rules, Docker containers can't
-default bridge.
+  connect to external hosts or the internet when using network other than default bridge.
-- `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
+- `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored.
-daemon flags. Specify the path for each daemon.
+  You can use it instead of daemon flags. Specify the path for each daemon.
 - `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.
-The `--tls*` options enable use of specific certificates for individual daemons.
+  The `--tls*` options enable use of specific certificates for individual daemons.
 
 Example script for a separate “bootstrap” instance of the Docker daemon without network:
 

docs/reference/commandline/events.md

@@ -23,7 +23,7 @@ Get real time events from the server
 
 Use `docker events` to get real-time events from the server. These events differ
 per Docker object type. Different event types have different scopes. Local
-scoped events are only seen on the node they take place on, and swarm scoped
+scoped events are only seen on the node they take place on, and Swarm scoped
 events are seen on all managers.
 
 Only the last 1000 log events are returned. You can use filters to further limit
@@ -146,11 +146,11 @@ Docker configs report the following events:
 The `--since` and `--until` parameters can be Unix timestamps, date formatted
 timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
 relative to the client machine’s time. If you do not provide the `--since` option,
-the command returns only new and/or live events.  Supported formats for date
+the command returns only new and/or live events. Supported formats for date
 formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
 `2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
 timezone on the client will be used if you do not provide either a `Z` or a
-`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
 timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
 that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
 seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
@@ -165,40 +165,39 @@ The filtering flag (`-f` or `--filter`) format is of "key=value". If you would
 like to use multiple filters, pass multiple flags (e.g.,
 `--filter "foo=bar" --filter "bif=baz"`)
 
-Using the same filter multiple times will be handled as a *OR*; for example
+Using the same filter multiple times is interpreted as a logical `OR`; for example,
-`--filter container=588a23dac085 --filter container=a8f7720b8c22` will display
+`--filter container=588a23dac085 --filter container=a8f7720b8c22` displays
-events for container 588a23dac085 *OR* container a8f7720b8c22
+events for container `588a23dac085` or container `a8f7720b8c22`.
 
-Using multiple filters will be handled as a *AND*; for example
+Using multiple filters is interpreted as a logical `AND`; for example,
-`--filter container=588a23dac085 --filter event=start` will display events for
+`--filter container=588a23dac085 --filter event=start` displays events for
-container container 588a23dac085 *AND* the event type is *start*
+container `588a23dac085` and where the event type is `start`.
 
 The currently supported filters are:
 
-* config (`config=<name or id>`)
+- config (`config=<name or id>`)
-* container (`container=<name or id>`)
+- container (`container=<name or id>`)
-* daemon (`daemon=<name or id>`)
+- daemon (`daemon=<name or id>`)
-* event (`event=<event action>`)
+- event (`event=<event action>`)
-* image (`image=<repository or tag>`)
+- image (`image=<repository or tag>`)
-* label (`label=<key>` or `label=<key>=<value>`)
+- label (`label=<key>` or `label=<key>=<value>`)
-* network (`network=<name or id>`)
+- network (`network=<name or id>`)
-* node (`node=<id>`)
+- node (`node=<id>`)
-* plugin (`plugin=<name or id>`)
+- plugin (`plugin=<name or id>`)
-* scope (`scope=<local or swarm>`)
+- scope (`scope=<local or swarm>`)
-* secret (`secret=<name or id>`)
+- secret (`secret=<name or id>`)
-* service (`service=<name or id>`)
+- service (`service=<name or id>`)
-* type (`type=<container or image or volume or network or daemon or plugin or service or node or secret or config>`)
+- type (`type=<container or image or volume or network or daemon or plugin or service or node or secret or config>`)
-* volume (`volume=<name>`)
+- volume (`volume=<name>`)
 
 #### <a name="format"></a> Format the output (--format)
 
-If a format (`--format`) is specified, the given template will be executed
+If you specify a format (`--format`), the given template is executed
-instead of the default
+instead of the default format. Go's [text/template](https://pkg.go.dev/text/template)
-format. Go's [text/template](https://pkg.go.dev/text/template) package
+package describes all the details of the format.
-describes all the details of the format.
 
-If a format is set to `{{json .}}`, the events are streamed as valid JSON
+If a format is set to `{{json .}}`, events are streamed in the JSON Lines format.
-Lines. For information about JSON Lines, please refer to https://jsonlines.org/.
+For information about JSON Lines, see <https://jsonlines.org/>.
 
 ## Examples
 
@@ -237,7 +236,7 @@ To exit the `docker events` command, use `CTRL+C`.
 ### Filter events by time
 
 You can filter the output by an absolute timestamp or relative time on the host
-machine, using the following different time syntaxes:
+machine, using the following different time formats:
 
 ```console
 $ docker events --since 1483283804
@@ -401,8 +400,8 @@ Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299
 
 #### Format as JSON
 
-To list events in JSON format, use the `json` directive, which is the equivalent
+To list events in JSON format, use the `json` directive, which is the same
-of `--format '{{ json . }}`.
+`--format '{{ json . }}`.
 
 ```console
 $ docker events --format json
@@ -413,5 +412,3 @@ $ docker events --format json
 {"status":"start","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f42..
 {"status":"resize","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
 ```
-
-.

docs/reference/commandline/exec.md

@@ -28,17 +28,16 @@ Execute a command in a running container
 
 The `docker exec` command runs a new command in a running container.
 
-The command started using `docker exec` only runs while the container's primary
+The command you specify with `docker exec` only runs while the container's
-process (`PID 1`) is running, and it is not restarted if the container is
+primary process (`PID 1`) is running, and it isn't restarted if the container
-restarted.
+is restarted.
 
-COMMAND runs in the default directory of the container. If the underlying image
+The command runs in the default working directory of the container.
-has a custom directory specified with the WORKDIR directive in its Dockerfile,
-this directory is used instead.
 
-COMMAND must be an executable. A chained or a quoted command does not work.
+The command must be an executable. A chained or a quoted command doesn't work.
-For example, `docker exec -it my_container sh -c "echo a && echo b"` does
+
-work, but `docker exec -it my_container "echo a && echo b"` does not.
+- This works: `docker exec -it my_container sh -c "echo a && echo b"`
+- This doesn't work: `docker exec -it my_container "echo a && echo b"`
 
 ## Examples
 
@@ -82,10 +81,10 @@ time the container is created. Use the `--env` (or the `-e` shorthand) to
 override global environment variables, or to set additional environment
 variables for the process started by `docker exec`.
 
-The example below creates a new shell session in the container `mycontainer` with
+The following example creates a new shell session in the container `mycontainer`,
-environment variables `$VAR_A` and `$VAR_B` set to "1" and "2" respectively.
+with environment variables `$VAR_A` set to `1`, and `$VAR_B` set to `2`.
 These environment variables are only valid for the `sh` process started by that
-`docker exec` command, and are not available to other processes running inside
+`docker exec` command, and aren't available to other processes running inside
 the container.
 
 ```console
@@ -99,7 +98,7 @@ HOME=/root
 
 ### <a name="workdir"></a> Set the working directory for the exec process (--workdir, -w)
 
-By default `docker exec` command runs in the same working directory set when 
+By default `docker exec` command runs in the same working directory set when
 the container was created.
 
 ```console
@@ -107,7 +106,7 @@ $ docker exec -it mycontainer pwd
 /
 ```
 
-You can specify an alternative working directory for the command to execute 
+You can specify an alternative working directory for the command to execute
 using the `--workdir` option (or the `-w` shorthand):
 
 ```console
@@ -115,7 +114,6 @@ $ docker exec -it -w /root mycontainer pwd
 /root
 ```
 
-
 ### Try to run `docker exec` on a paused container
 
 If the container is paused, then the `docker exec` command fails with an error:

docs/reference/commandline/export.md

@@ -18,9 +18,9 @@ Export a container's filesystem as a tar archive
 
 ## Description
 
-The `docker export` command does not export the contents of volumes associated
+The `docker export` command doesn't export the contents of volumes associated
 with the container. If a volume is mounted on top of an existing directory in
-the container, `docker export` will export the contents of the *underlying*
+the container, `docker export` exports the contents of the underlying
 directory, not the contents of the volume.
 
 Refer to [Backup, restore, or migrate data volumes](https://docs.docker.com/storage/volumes/#back-up-restore-or-migrate-data-volumes)
@@ -28,7 +28,7 @@ in the user guide for examples on exporting data in a volume.
 
 ## Examples
 
-Each of these commands has the same result.
+The following commands produce the same result.
 
 ```console
 $ docker export red_panda > latest.tar

docs/reference/commandline/history.md

@@ -62,9 +62,9 @@ Valid placeholders for the Go template are listed below:
 | `.Size`         | Image disk size                                                                                           |
 | `.Comment`      | Comment for image                                                                                         |
 
-When using the `--format` option, the `history` command will either
+When using the `--format` option, the `history` command either
-output the data exactly as the template declares or, when using the
+outputs the data exactly as the template declares or, when using the
-`table` directive, will include column headers as well.
+`table` directive, includes column headers as well.
 
 The following example uses a template without headers and outputs the
 `ID` and `CreatedSince` entries separated by a colon (`:`) for the `busybox`

docs/reference/commandline/run.md

@@ -125,7 +125,6 @@ The `docker run` command runs a command in a new container, pulling the image if
 You can restart a stopped container with all its previous changes intact using `docker start`.
 Use `docker ps -a` to view a list of all containers, including those that are stopped.
 
-
 ## Examples
 
 ### <a name="name"></a> Assign name (--name)
@@ -281,9 +280,14 @@ container.
 
 The UTS namespace is for setting the hostname and the domain that's visible to
 running processes in that namespace. By default, all containers, including
-those with `--network=host`, have their own UTS namespace. The `host` setting
+those with `--network=host`, have their own UTS namespace. Setting `--uts` to
-will result in the container using the same UTS namespace as the host. Note
+`host` results in the container using the same UTS namespace as the host.
-that `--hostname` and `--domainname` are invalid in `host` UTS mode.
+
+> **Note**
+>
+> Docker disallows combining the `--hostname` and `--domainname` flags with
+> `--uts=host`. This is to prevent containers running in the host's UTS
+> namespace from attempting to change the hosts' configuration.
 
 You may wish to share the UTS namespace with the host if you would like the
 hostname of the container to change as the hostname of the host changes. A more
@@ -309,8 +313,9 @@ The `--ipc` flag accepts the following values:
 If not specified, daemon default is used, which can either be `"private"`
 or `"shareable"`, depending on the daemon version and configuration.
 
-IPC (POSIX/SysV IPC) namespace provides separation of named shared memory
+[System V interprocess communication (IPC)](https://linux.die.net/man/5/ipc)
-segments, semaphores and message queues.
+namespaces provide separation of named shared memory segments, semaphores and
+message queues.
 
 Shared memory segments are used to accelerate inter-process communication at
 memory speed, rather than through pipes or through the network stack. Shared
@@ -323,15 +328,17 @@ container, and `"container:<donor-name-or-ID>"` for other containers.
 
 ### <a name="privileged"></a> Full container capabilities (--privileged)
 
+The following example doesn't work, because by default, Docker drops most
+potentially dangerous kernel capabilities, including `CAP_SYS_ADMIN ` (which is
+required to mount filesystems).
+
 ```console
 $ docker run -t -i --rm ubuntu bash
 root@bc338942ef20:/# mount -t tmpfs none /mnt
 mount: permission denied
 ```
 
-This *doesn't* work, because by default, Docker drops most potentially dangerous kernel
+It works when you add the `--privileged` flag:
-capabilities, including `CAP_SYS_ADMIN ` (which is required to mount
-filesystems). However, the `--privileged` flag allows it to run:
 
 ```console
 $ docker run -t -i --privileged ubuntu bash
@@ -341,7 +348,7 @@ Filesystem      Size  Used Avail Use% Mounted on
 none            1.9G     0  1.9G   0% /mnt
 ```
 
-The `--privileged` flag gives *all* capabilities to the container, and it also
+The `--privileged` flag gives all capabilities to the container, and it also
 lifts all the limitations enforced by the `device` cgroup controller. In other
 words, the container can then do almost everything that the host can do. This
 flag exists to allow special use-cases, like running Docker within Docker.
@@ -349,11 +356,11 @@ flag exists to allow special use-cases, like running Docker within Docker.
 ### <a name="workdir"></a> Set working directory (-w, --workdir)
 
 ```console
-$ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
+$ docker run -w /path/to/dir/ -i -t ubuntu pwd
 ```
 
 The `-w` option runs the command executed inside the directory specified, in this example,
-`/path/to/dir/`. If the path does not exist, Docker creates it inside the container.
+`/path/to/dir/`. If the path doesn't exist, Docker creates it inside the container.
 
 ### <a name="storage-opt"></a> Set storage driver options per container (--storage-opt)
 
@@ -384,6 +391,8 @@ container with the `rw`, `noexec`, `nosuid`, `size=65536k` options.
 $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
 ```
 
+For more information, see [tmpfs mounts](https://docs.docker.com/storage/tmpfs/#tmpfs-mounts).
+
 ### <a name="volume"></a> Mount volume (-v)
 
 ```console
@@ -597,14 +606,15 @@ VAR2=value2
 
 When running the command, the Docker CLI client checks the value the variable
 has in your local environment and passes it to the container.
-If no `=` is provided and that variable is not exported in your local
+If no `=` is provided and that variable isn't exported in your local
-environment, the variable isn't set in the container.
+environment, the variable is unset in the container.
 
 You can also load the environment variables from a file. This file should use
 the syntax `<variable>=value` (which sets the variable to the given value) or
-`<variable>` (which takes the value from the local environment), and `#` for comments.
+`<variable>` (which takes the value from the local environment), and `#` for
-Additionally, it's important to note that lines beginning with `#` are treated as line comments
+comments. Lines beginning with `#` are treated as line comments and are
-and are ignored, whereas a `#` appearing anywhere else in a line is treated as part of the variable value.
+ignored, whereas a `#` appearing anywhere else in a line is treated as part of
+the variable value.
 
 ```console
 $ cat env.list
@@ -657,9 +667,8 @@ com.example.label3
 
 You can load multiple label-files by supplying multiple  `--label-file` flags.
 
-For additional information on working with labels, see [*Labels - custom
+For additional information on working with labels, see
-metadata in Docker*](https://docs.docker.com/config/labels-custom-metadata/) in
+[Labels](https://docs.docker.com/config/labels-custom-metadata/).
-the Docker User Guide.
 
 ### <a name="network"></a> Connect a container to a network (--network)
 
@@ -887,9 +896,9 @@ $ cat somefile | docker run -i -a stdin mybuilder dobuild
 
 > **Note**
 >
-> A process running as PID 1 inside a container is treated specially by Linux:
+> A process running as PID 1 inside a container is treated specially by
-> it ignores any signal with the default action. As a result, the process will
+> Linux: it ignores any signal with the default action. So, the process
-> not terminate on `SIGINT` or `SIGTERM` unless it is coded to do so.
+> doesn't terminate on `SIGINT` or `SIGTERM` unless it's coded to do so.
 
 See also [the `docker cp` command](cp.md).
 
@@ -1047,8 +1056,8 @@ Docker supports the following restart policies:
 $ docker run --restart=always redis
 ```
 
-This will run the `redis` container with a restart policy of **always**
+This runs the `redis` container with a restart policy of **always**.
-so that if the container exits, Docker restarts it.
+If the container exits, Docker restarts it.
 
 When a restart policy is active on a container, it shows as either `Up` or
 `Restarting` in [`docker ps`](ps.md). It can also be useful to use [`docker
@@ -1120,16 +1129,16 @@ the container and remove the file system when the container exits, use the
 >
 > If you set the `--rm` flag, Docker also removes the anonymous volumes
 > associated with the container when the container is removed. This is similar
-> to running `docker rm -v my-container`. Only volumes that are specified without
+> to running `docker rm -v my-container`. Only volumes that are specified
-> a name are removed. For example, when running:
+> without a name are removed. For example, when running the following command,
+> volume `/foo` is removed, but not `/bar`:
 >
 > ```console
 > $ docker run --rm -v /foo -v awesome:/bar busybox top
 > ```
 >
-> the volume for `/foo` will be removed, but the volume for `/bar` will not.
+> Volumes inherited via `--volumes-from` are removed with the same logic:
-> Volumes inherited via `--volumes-from` will be removed with the same logic: if
+> if the original volume was specified with a name it isn't removed.
-> the original volume was specified with a name it will **not** be removed.
 
 ### <a name="add-host"></a> Add entries to container hosts file (--add-host)
 
@@ -1315,7 +1324,7 @@ use the following command:
 $ docker run --security-opt no-new-privileges -it ubuntu bash
 ```
 
-This means that commands that raise privileges such as `su` or `sudo` will no longer work.
+This means that commands that raise privileges such as `su` or `sudo` no longer work.
 It also causes any seccomp filters to be applied later, after privileges have been dropped
 which may mean you can have a more restrictive set of filters.
 For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).

docs/reference/commandline/swarm_init.md

@@ -5,30 +5,30 @@ Initialize a swarm
 
 ### Options
 
-| Name                              | Type          | Default        | Description                                                                                                                  |
+| Name                                        | Type          | Default        | Description                                                                                                                  |
-|:----------------------------------|:--------------|:---------------|:-----------------------------------------------------------------------------------------------------------------------------|
+|:--------------------------------------------|:--------------|:---------------|:-----------------------------------------------------------------------------------------------------------------------------|
-| `--advertise-addr`                | `string`      |                | Advertised address (format: `<ip\|interface>[:port]`)                                                                        |
+| [`--advertise-addr`](#advertise-addr)       | `string`      |                | Advertised address (format: `<ip\|interface>[:port]`)                                                                        |
-| `--autolock`                      |               |                | Enable manager autolocking (requiring an unlock key to start a stopped manager)                                              |
+| [`--autolock`](#autolock)                   |               |                | Enable manager autolocking (requiring an unlock key to start a stopped manager)                                              |
-| `--availability`                  | `string`      | `active`       | Availability of the node (`active`, `pause`, `drain`)                                                                        |
+| [`--availability`](#availability)           | `string`      | `active`       | Availability of the node (`active`, `pause`, `drain`)                                                                        |
-| `--cert-expiry`                   | `duration`    | `2160h0m0s`    | Validity period for node certificates (ns\|us\|ms\|s\|m\|h)                                                                  |
+| `--cert-expiry`                             | `duration`    | `2160h0m0s`    | Validity period for node certificates (ns\|us\|ms\|s\|m\|h)                                                                  |
-| `--data-path-addr`                | `string`      |                | Address or interface to use for data path traffic (format: `<ip\|interface>`)                                                |
+| [`--data-path-addr`](#data-path-addr)       | `string`      |                | Address or interface to use for data path traffic (format: `<ip\|interface>`)                                                |
-| `--data-path-port`                | `uint32`      | `0`            | Port number to use for data path traffic (1024 - 49151). If no value is set or is set to 0, the default port (4789) is used. |
+| [`--data-path-port`](#data-path-port)       | `uint32`      | `0`            | Port number to use for data path traffic (1024 - 49151). If no value is set or is set to 0, the default port (4789) is used. |
-| `--default-addr-pool`             | `ipNetSlice`  |                | default address pool in CIDR format                                                                                          |
+| [`--default-addr-pool`](#default-addr-pool) | `ipNetSlice`  |                | default address pool in CIDR format                                                                                          |
-| `--default-addr-pool-mask-length` | `uint32`      | `24`           | default address pool subnet mask length                                                                                      |
+| `--default-addr-pool-mask-length`           | `uint32`      | `24`           | default address pool subnet mask length                                                                                      |
-| `--dispatcher-heartbeat`          | `duration`    | `5s`           | Dispatcher heartbeat period (ns\|us\|ms\|s\|m\|h)                                                                            |
+| `--dispatcher-heartbeat`                    | `duration`    | `5s`           | Dispatcher heartbeat period (ns\|us\|ms\|s\|m\|h)                                                                            |
-| `--external-ca`                   | `external-ca` |                | Specifications of one or more certificate signing endpoints                                                                  |
+| [`--external-ca`](#external-ca)             | `external-ca` |                | Specifications of one or more certificate signing endpoints                                                                  |
-| `--force-new-cluster`             |               |                | Force create a new cluster from current state                                                                                |
+| [`--force-new-cluster`](#force-new-cluster) |               |                | Force create a new cluster from current state                                                                                |
-| `--listen-addr`                   | `node-addr`   | `0.0.0.0:2377` | Listen address (format: `<ip\|interface>[:port]`)                                                                            |
+| [`--listen-addr`](#listen-addr)             | `node-addr`   | `0.0.0.0:2377` | Listen address (format: `<ip\|interface>[:port]`)                                                                            |
-| `--max-snapshots`                 | `uint64`      | `0`            | Number of additional Raft snapshots to retain                                                                                |
+| [`--max-snapshots`](#max-snapshots)         | `uint64`      | `0`            | Number of additional Raft snapshots to retain                                                                                |
-| `--snapshot-interval`             | `uint64`      | `10000`        | Number of log entries between Raft snapshots                                                                                 |
+| [`--snapshot-interval`](#snapshot-interval) | `uint64`      | `10000`        | Number of log entries between Raft snapshots                                                                                 |
-| `--task-history-limit`            | `int64`       | `5`            | Task history retention limit                                                                                                 |
+| `--task-history-limit`                      | `int64`       | `5`            | Task history retention limit                                                                                                 |
 
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Initialize a swarm. The docker engine targeted by this command becomes a manager
+Initialize a swarm. The Docker Engine targeted by this command becomes a manager
 in the newly created single-node swarm.
 
 ## Examples
@@ -40,94 +40,91 @@ Swarm initialized: current node (bvz81updecsj6wjz393c09vti) is now a manager.
 
 To add a worker to this swarm, run the following command:
 
-    docker swarm join \
+    docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 172.17.0.2:2377
-    --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx \
-    172.17.0.2:2377
 
 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
 ```
 
-`docker swarm init` generates two random tokens, a worker token and a manager token. When you join
+The `docker swarm init` command generates two random tokens: a worker token and
-a new node to the swarm, the node joins as a worker or manager node based upon the token you pass
+a manager token. When you join a new node to the swarm, the node joins as a
-to [swarm join](swarm_join.md).
+worker or manager node based upon the token you pass to [swarm
+join](swarm_join.md).
 
 After you create the swarm, you can display or rotate the token using
 [swarm join-token](swarm_join-token.md).
 
-### `--autolock`
+### <a name="autolock"></a> Protect manager keys and data (--autolock)
 
-This flag enables automatic locking of managers with an encryption key. The
+The `--autolock` flag enables automatic locking of managers with an encryption
-private keys and data stored by all managers will be protected by the
+key. The private keys and data stored by all managers are protected by the
-encryption key printed in the output, and will not be accessible without it.
+encryption key printed in the output, and is inaccessible without it. Make sure
-Thus, it is very important to store this key in order to activate a manager
+to store this key securely, in order to reactivate a manager after it restarts.
-after it restarts. The key can be passed to `docker swarm unlock` to reactivate
+Pass the key to the `docker swarm unlock` command to reactivate the manager.
-the manager. Autolock can be disabled by running
+You can disable autolock by running `docker swarm update --autolock=false`.
-`docker swarm update --autolock=false`. After disabling it, the encryption key
+After disabling it, the encryption key is no longer required to start the
-is no longer required to start the manager, and it will start up on its own
+manager, and it will start up on its own without user intervention.
-without user intervention.
 
-### `--cert-expiry`
+### <a name=""></a> Configure node healthcheck frequency (--dispatcher-heartbeat)
 
-This flag sets the validity period for node certificates.
+The `--dispatcher-heartbeat` flag sets the frequency at which nodes are told to
+report their health.
 
-### `--dispatcher-heartbeat`
+### <a name="external-ca"></a> Use an external certificate authority (--external-ca)
 
-This flag sets the frequency with which nodes are told to use as a
+This flag sets up the swarm to use an external CA to issue node certificates.
-period to report their health.
+The value takes the form `protocol=X,url=Y`. The value for `protocol` specifies
+what protocol should be used to send signing requests to the external CA.
+Currently, the only supported value is `cfssl`. The URL specifies the endpoint
+where signing requests should be submitted.
 
-### `--external-ca`
+### <a name="force-new-cluster"></a> Force-restart node as a single-mode manager (--force-new-cluster)
 
-This flag sets up the swarm to use an external CA to issue node certificates. The value takes
+This flag forces an existing node that was part of a quorum that was lost to
-the form `protocol=X,url=Y`. The value for `protocol` specifies what protocol should be used
+restart as a single-node Manager without losing its data.
-to send signing requests to the external CA. Currently, the only supported value is `cfssl`.
-The URL specifies the endpoint where signing requests should be submitted.
 
-### `--force-new-cluster`
+### <a name="listen-addr"></a> Specify interface for inbound control plane traffic (--listen-addr)
 
-This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data.
+The node listens for inbound swarm manager traffic on this address. The default
-
+is to listen on `0.0.0.0:2377`. It is also possible to specify a network
-### `--listen-addr`
+interface to listen on that interface's address; for example `--listen-addr
-
+eth0:2377`.
-The node listens for inbound swarm manager traffic on this address. The default is to listen on
-0.0.0.0:2377. It is also possible to specify a network interface to listen on that interface's
-address; for example `--listen-addr eth0:2377`.
 
 Specifying a port is optional. If the value is a bare IP address or interface
-name, the default port 2377 will be used.
+name, the default port 2377 is used.
 
-### `--advertise-addr`
+### <a name="advertise-addr"></a> Specify interface for outbound control plane traffic (--advertise-addr)
 
-This flag specifies the address that will be advertised to other members of the
+The `--advertise-addr` flag specifies the address that will be advertised to
-swarm for API access and overlay networking. If unspecified, Docker will check
+other members of the swarm for API access and overlay networking. If
-if the system has a single IP address, and use that IP address with the
+unspecified, Docker will check if the system has a single IP address, and use
-listening port (see `--listen-addr`). If the system has multiple IP addresses,
+that IP address with the listening port (see `--listen-addr`). If the system
-`--advertise-addr` must be specified so that the correct address is chosen for
+has multiple IP addresses, `--advertise-addr` must be specified so that the
-inter-manager communication and overlay networking.
+correct address is chosen for inter-manager communication and overlay
+networking.
 
-It is also possible to specify a network interface to advertise that interface's address;
+It is also possible to specify a network interface to advertise that
-for example `--advertise-addr eth0:2377`.
+interface's address; for example `--advertise-addr eth0:2377`.
 
 Specifying a port is optional. If the value is a bare IP address or interface
-name, the default port 2377 will be used.
+name, the default port 2377 is used.
 
-### `--data-path-addr`
+### <a name="data-path-addr"></a> Specify interface for data traffic (--data-path-addr)
 
-This flag specifies the address that global scope network drivers will publish towards
+The `--data-path-addr` flag specifies the address that global scope network
-other nodes in order to reach the containers running on this node.
+drivers will publish towards other nodes in order to reach the containers
-Using this parameter it is then possible to separate the container's data traffic from the
+running on this node. Using this parameter you can separate the container's
-management traffic of the cluster.
+data traffic from the management traffic of the cluster.
-If unspecified, Docker will use the same IP address or interface that is used for the
-advertise address.
 
-### `--data-path-port`
+If unspecified, the IP address or interface of the advertise address is used.
 
-This flag allows you to configure the UDP port number to use for data path
+### <a name="data-path-port"></a> Configure port number for data traffic (--data-path-port)
-traffic. The provided port number must be within the 1024 - 49151 range. If
+
-this flag is not set or is set to 0, the default port number 4789 is used.
+The `--data-path-port` flag allows you to configure the UDP port number to use
-The data path port can only be configured when initializing the swarm, and
+for data path traffic. The provided port number must be within the 1024 - 49151
-applies to all nodes that join the swarm.
+range. If this flag isn't set, or if it's set to 0, the default port number
-The following example initializes a new Swarm, and configures the data path
+4789 is used. The data path port can only be configured when initializing the
-port to UDP port 7777;
+swarm, and applies to all nodes that join the swarm. The following example
+initializes a new Swarm, and configures the data path port to UDP port 7777;
 
 ```console
 $ docker swarm init --data-path-port=7777
@@ -146,43 +143,45 @@ Data Path Port: 7777
 <...>
 ```
 
-### `--default-addr-pool`
+### <a name="default-addr-pool"></a> Specify default subnet pools (--default-addr-pool)
-This flag specifies default subnet pools for global scope networks.
-Format example is `--default-addr-pool 30.30.0.0/16 --default-addr-pool 40.40.0.0/16`
 
-### `--default-addr-pool-mask-length`
+The `--default-addr-pool` flag specifies default subnet pools for global scope
-This flag specifies default subnet pools mask length for default-addr-pool.
+networks. For example, to specify two address pools:
-Format example is `--default-addr-pool-mask-length 24`
 
-### `--task-history-limit`
+```console
+$ docker swarm init \
+  --default-addr-pool 30.30.0.0/16 \
+  --default-addr-pool 40.40.0.0/16
+```
 
-This flag sets up task history retention limit.
+Use the `--default-addr-pool-mask-length` flag to specify the default subnet
+pools mask length for the subnet pools.
 
-### `--max-snapshots`
+### <a name="max-snapshots"></a> Set limit for number of snapshots to keep (--max-snapshots)
 
 This flag sets the number of old Raft snapshots to retain in addition to the
 current Raft snapshots. By default, no old snapshots are retained. This option
 may be used for debugging, or to store old snapshots of the swarm state for
 disaster recovery purposes.
 
-### `--snapshot-interval`
+### <a name="snapshot-interval"></a> Configure Raft snapshot log interval (--snapshot-interval)
 
-This flag specifies how many log entries to allow in between Raft snapshots.
+The `--snapshot-interval` flag specifies how many log entries to allow in
-Setting this to a higher number will trigger snapshots less frequently.
+between Raft snapshots. Setting this to a high number will trigger snapshots
-Snapshots compact the Raft log and allow for more efficient transfer of the
+less frequently. Snapshots compact the Raft log and allow for more efficient
-state to new managers. However, there is a performance cost to taking snapshots
+transfer of the state to new managers. However, there is a performance cost to
-frequently.
+taking snapshots frequently.
 
-### `--availability`
+### <a name="availability"></a> Configure the availability of a manager (--availability)
 
-This flag specifies the availability of the node at the time the node joins a master.
+The `--availability` flag specifies the availability of the node at the time
-Possible availability values are `active`, `pause`, or `drain`.
+the node joins a master. Possible availability values are `active`, `pause`, or
+`drain`.
 
-This flag is useful in certain situations. For example, a cluster may want to have
+This flag is useful in certain situations. For example, a cluster may want to
-dedicated manager nodes that are not served as worker nodes. This could be achieved
+have dedicated manager nodes that don't serve as worker nodes. You can do this
 by passing `--availability=drain` to `docker swarm init`.
 
-
 ## Related commands
 
 * [swarm ca](swarm_ca.md)

docs/reference/commandline/system_df.md

@@ -16,11 +16,11 @@ Show docker disk usage
 ## Description
 
 The `docker system df` command displays information regarding the
-amount of disk space used by the docker daemon.
+amount of disk space used by the Docker daemon.
 
 ## Examples
 
-By default the command will just show a summary of the data used:
+By default the command displays a summary of the data used:
 
 ```console
 $ docker system df
@@ -31,7 +31,7 @@ Containers          2                   0                   212 B
 Local Volumes       2                   1                   36 B                0 B (0%)
 ```
 
-A more detailed view can be requested using the `-v, --verbose` flag:
+Use the `-v, --verbose` flag to get more detailed information:
 
 ```console
 $ docker system df -v
@@ -59,19 +59,19 @@ my-named-vol                                                       0
 ```
 
 * `SHARED SIZE` is the amount of space that an image shares with another one (i.e. their common data)
-* `UNIQUE SIZE` is the amount of space that is only used by a given image
+* `UNIQUE SIZE` is the amount of space that's only used by a given image
-* `SIZE` is the virtual size of the image, it is the sum of `SHARED SIZE` and `UNIQUE SIZE`
+* `SIZE` is the virtual size of the image, it's the sum of `SHARED SIZE` and `UNIQUE SIZE`
 
 > **Note**
 >
-> Network information is not shown because it does not consume disk space.
+> Network information isn't shown, because it doesn't consume disk space.
 
 ## Performance
 
-The `system df` command can be very resource-intensive. It traverses the
+Running the `system df` command can be resource-intensive. It traverses the
 filesystem of every image, container, and volume in the system. You should be
 careful running this command in systems with lots of images, containers, or
-volumes or in systems where some images, containers, or volumes have very large
+volumes or in systems where some images, containers, or volumes have large
 filesystems with many files. You should also be careful not to run this command
 in systems where performance is critical.
 
@@ -92,7 +92,7 @@ Valid placeholders for the Go template are listed below:
 
 When using the `--format` option, the `system df` command outputs
 the data exactly as the template declares or, when using the
-`table` directive, will include column headers as well.
+`table` directive, includes column headers as well.
 
 The following example uses a template without headers and outputs the
 `Type` and `TotalCount` entries separated by a colon (`:`):

docs/reference/commandline/system_events.md

@@ -108,11 +108,11 @@ Docker daemons report the following events:
 The `--since` and `--until` parameters can be Unix timestamps, date formatted
 timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
 relative to the client machine’s time. If you do not provide the `--since` option,
-the command returns only new and/or live events.  Supported formats for date
+the command returns only new and/or live events. Supported formats for date
 formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
 `2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
 timezone on the client will be used if you do not provide either a `Z` or a
-`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
 timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
 that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
 seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
@@ -124,25 +124,25 @@ The filtering flag (`-f` or `--filter`) format is of "key=value". If you would
 like to use multiple filters, pass multiple flags (e.g.,
 `--filter "foo=bar" --filter "bif=baz"`)
 
-Using the same filter multiple times will be handled as a *OR*; for example
+Using the same filter multiple times will be handled as a logical `OR`; for example,
-`--filter container=588a23dac085 --filter container=a8f7720b8c22` will display
+`--filter container=588a23dac085 --filter container=a8f7720b8c22` displays
-events for container 588a23dac085 *OR* container a8f7720b8c22
+events for container `588a23dac085` or container `a8f7720b8c22`.
 
-Using multiple filters will be handled as a *AND*; for example
+Using multiple filters will be handled as a logical `AND`; for example,
-`--filter container=588a23dac085 --filter event=start` will display events for
+`--filter container=588a23dac085 --filter event=start` displays events for
-container container 588a23dac085 *AND* the event type is *start*
+container `588a23dac085` and where the event type is `start`.
 
 The currently supported filters are:
 
-* container (`container=<name or id>`)
+- container (`container=<name or id>`)
-* daemon (`daemon=<name or id>`)
+- daemon (`daemon=<name or id>`)
-* event (`event=<event action>`)
+- event (`event=<event action>`)
-* image (`image=<tag or id>`)
+- image (`image=<tag or id>`)
-* label (`label=<key>` or `label=<key>=<value>`)
+- label (`label=<key>` or `label=<key>=<value>`)
-* network (`network=<name or id>`)
+- network (`network=<name or id>`)
-* plugin (`plugin=<name or id>`)
+- plugin (`plugin=<name or id>`)
-* type (`type=<container or image or volume or network or daemon or plugin>`)
+- type (`type=<container or image or volume or network or daemon or plugin>`)
-* volume (`volume=<name or id>`)
+- volume (`volume=<name or id>`)
 
 ## Examples
 
@@ -181,7 +181,7 @@ To exit the `docker system events` command, use `CTRL+C`.
 ### Filter events by time
 
 You can filter the output by an absolute timestamp or relative time on the host
-machine, using the following different time syntaxes:
+machine, using the following different time formats:
 
 ```console
 $ docker system events --since 1483283804
@@ -307,7 +307,7 @@ $ docker system events --filter 'type=plugin'
 
 ### <a name="format"></a> Format the output (--format)
 
-If a format (`--format`) is specified, the given template will be executed
+If you specify a format (`--format`), the given template is executed
 instead of the default format. Go's [text/template](https://pkg.go.dev/text/template)
 package describes all the details of the format.
 
@@ -324,8 +324,8 @@ Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299
 
 #### Format as JSON
 
-If a format is set to `{{json .}}`, the events are streamed as valid JSON
+If a format is set to `{{json .}}`, events are streamed in the JSON Lines format.
-Lines. For information about JSON Lines, please refer to https://jsonlines.org/ .
+For information about JSON Lines, see <https://jsonlines.org/>.
 
 ```console
 $ docker system events --format '{{json .}}'

docs/reference/commandline/system_prune.md

@@ -17,7 +17,7 @@ Remove unused data
 
 ## Description
 
-Remove all unused containers, networks, images (both dangling and unreferenced),
+Remove all unused containers, networks, images (both dangling and unused),
 and optionally, volumes.
 
 ## Examples
@@ -48,7 +48,7 @@ deleted: sha256:45761469c965421a92a69cc50e92c01e0cfa94fe026cdd1233445ea00e96289a
 Total reclaimed space: 1.84kB
 ```
 
-By default, volumes are not removed to prevent important data from being
+By default, volumes aren't removed to prevent important data from being
 deleted if there is currently no container using the volume. Use the `--volumes`
 flag when running the command to prune anonymous volumes as well:
 
@@ -109,7 +109,7 @@ relative to the daemon machine’s time. Supported formats for date
 formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
 `2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
 timezone on the daemon will be used if you do not provide either a `Z` or a
-`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
 timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
 that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
 seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a

docs/reference/commandline/tag.md

@@ -17,30 +17,30 @@ A full image name has the following format and components:
 `[HOST[:PORT_NUMBER]/]PATH`
 
 - `HOST`: The optional registry hostname specifies where the image is located.
-The hostname must comply with standard DNS rules, but may not contain
+  The hostname must comply with standard DNS rules, but may not contain
-underscores. If the hostname is not specified, the command uses Docker's public
+  underscores. If you don't specify a hostname, the command uses Docker's public
-registry at `registry-1.docker.io` by default. Note that `docker.io` is the
+  registry at `registry-1.docker.io` by default. Note that `docker.io` is the
-canonical reference for Docker's public registry.
+  canonical reference for Docker's public registry.
 - `PORT_NUMBER`: If a hostname is present, it may optionally be followed by a
-registry port number in the format `:8080`.
+  registry port number in the format `:8080`.
 - `PATH`: The path consists of slash-separated components. Each
-component may contain lowercase letters, digits and separators. A separator is
+  component may contain lowercase letters, digits and separators. A separator is
-defined as a period, one or two underscores, or one or more hyphens. A component
+  defined as a period, one or two underscores, or one or more hyphens. A component
-may not start or end with a separator. While the
+  may not start or end with a separator. While the
-[OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
+  [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
-supports more than two slash-separated components, most registries only support
+  supports more than two slash-separated components, most registries only support
-two slash-separated components. For Docker's public registry, the path format is
+  two slash-separated components. For Docker's public registry, the path format is
-as follows:
+  as follows:
   - `[NAMESPACE/]REPOSITORY`: The first, optional component is typically a
-user's or an organization's namespace. The second, mandatory component is the
+  user's or an organization's namespace. The second, mandatory component is the
-repository name. When the namespace is not present, Docker uses `library`
+  repository name. When the namespace is not present, Docker uses `library`
-as the default namespace.
+  as the default namespace.
 
 After the image name, the optional `TAG` is a custom, human-readable manifest
-identifier that is typically a specific version or variant of an image. The tag
+identifier that's typically a specific version or variant of an image. The tag
 must be valid ASCII and can contain lowercase and uppercase letters, digits,
-underscores, periods, and hyphens. It cannot start with a period or hyphen and
+underscores, periods, and hyphens. It can't start with a period or hyphen and
-must be no longer than 128 characters. If the tag is not specified, the command uses `latest` by default.
+must be no longer than 128 characters. If you don't specify a tag, the command uses `latest` by default.
 
 You can group your images together using names and tags, and then
 [push](https://docs.docker.com/engine/reference/commandline/push) them to a
@@ -50,8 +50,8 @@ registry.
 
 ### Tag an image referenced by ID
 
-To tag a local image with ID "0e5574283393" as "fedora/httpd" with the tag
+To tag a local image with ID `0e5574283393` as `fedora/httpd` with the tag
-"version1.0":
+`version1.0`:
 
 ```console
 $ docker tag 0e5574283393 fedora/httpd:version1.0
@@ -59,19 +59,19 @@ $ docker tag 0e5574283393 fedora/httpd:version1.0
 
 ### Tag an image referenced by Name
 
-To tag a local image "httpd" as "fedora/httpd" with the tag "version1.0":
+To tag a local image `httpd` as `fedora/httpd` with the tag `version1.0`:
 
 ```console
 $ docker tag httpd fedora/httpd:version1.0
 ```
 
-Note that since the tag name is not specified, the alias is created for an
+Note that since the tag name isn't specified, the alias is created for an
 existing local version `httpd:latest`.
 
 ### Tag an image referenced by Name and Tag
 
-To tag a local image with the name "httpd" and the tag "test" as "fedora/httpd"
+To tag a local image with the name `httpd` and the tag `test` as `fedora/httpd`
-with the tag "version1.0.test":
+with the tag `version1.0.test`:
 
 ```console
 $ docker tag httpd:test fedora/httpd:version1.0.test
@@ -84,4 +84,4 @@ must include the registry hostname and port (if needed).
 
 ```console
 $ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
-```
+```

docs/reference/commandline/trust_key_generate.md

@@ -15,7 +15,7 @@ Generate and load a signing key-pair
 ## Description
 
 `docker trust key generate` generates a key-pair to be used with signing,
- and loads the private key into the local docker trust keystore.
+ and loads the private key into the local Docker trust keystore.
 
 ## Examples
 
@@ -32,7 +32,7 @@ $ ls
 alice.pub
 ```
 
-The private signing key is encrypted by the passphrase and loaded into the docker trust keystore.
+The private signing key is encrypted by the passphrase and loaded into the Docker trust keystore.
 All passphrase requests to sign with the key will be referred to by the provided `NAME`.
 
 The public key component `alice.pub` will be available in the current working directory, and can

docs/reference/commandline/trust_key_load.md

@@ -14,7 +14,7 @@ Load a private key file for signing
 
 ## Description
 
-`docker trust key load` adds private keys to the local docker trust keystore.
+`docker trust key load` adds private keys to the local Docker trust keystore.
 
 To add a signer to a repository use `docker trust signer add`.
 

docs/reference/commandline/trust_revoke.md

@@ -20,7 +20,7 @@ Remove trust for an image
 
 ### Revoke signatures from a signed tag
 
-Here's an example of a repo with two signed tags:
+Here's an example of a repository with two signed tags:
 
 
 ```console

docs/reference/commandline/trust_sign.md

@@ -18,7 +18,7 @@ Sign an image
 
 ## Examples
 
-### Sign a tag as a repo admin
+### Sign a tag as a repository admin
 
 Given an image:
 
@@ -125,9 +125,9 @@ Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
 Root Key:       3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
 ```
 
-## Initialize a new repo and sign a tag
+## Initialize a new repository and sign a tag
 
-When signing an image on a repo for the first time, `docker trust sign` sets up new keys before signing the image.
+When signing an image on a repository for the first time, `docker trust sign` sets up new keys before signing the image.
 
 ```console
 $ docker trust inspect --pretty example/trust-demo

docs/reference/commandline/trust_signer_add.md

@@ -18,7 +18,7 @@ Add a signer
 
 ## Examples
 
-### Add a signer to a repo
+### Add a signer to a repository
 
 To add a new signer, `alice`, to this repository:
 
@@ -66,9 +66,9 @@ Repository Key: 642692c14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
 Root Key:       3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
 ```
 
-## Initialize a new repo and add a signer
+## Initialize a new repository and add a signer
 
-When adding a signer on a repo for the first time, `docker trust signer add` sets up a new repo if it doesn't exist.
+When adding a signer on a repository for the first time, `docker trust signer add` sets up a new repository if it doesn't exist.
 
 ```console
 $ docker trust inspect --pretty example/trust-demo
@@ -107,8 +107,10 @@ Repository Key: 95b9e5565eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb
 Root Key:       748121c14bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103
 ```
 
-## Add a signer to multiple repos
+## Add a signer to multiple repositories
+
 To add a signer, `alice`, to multiple repositories:
+
 ```console
 $ docker trust inspect --pretty example/trust-demo
 
@@ -192,8 +194,8 @@ Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d926
 Root Key:       3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
 ```
 
-
+`docker trust signer add` adds signers to repositories on a best effort basis.
-`docker trust signer add` adds signers to repositories on a best effort basis, so it will continue to add the signer to subsequent repositories if one attempt fails:
+It continues to add the signer to subsequent repositories if one attempt fails:
 
 ```console
 $ docker trust signer add alice example/unauthorized example/authorized --key alice.crt

docs/reference/commandline/trust_signer_remove.md

@@ -18,7 +18,7 @@ Remove a signer
 
 ## Examples
 
-### Remove a signer from a repo
+### Remove a signer from a repository
 
 To remove an existing signer, `alice`, from this repository:
 
@@ -49,7 +49,7 @@ Enter passphrase for repository key with ID 642692c:
 Successfully removed alice from example/trust-demo
 ```
 
-`docker trust inspect --pretty` now does not list `alice` as a valid signer:
+`docker trust inspect --pretty` now doesn't list `alice` as a valid signer:
 
 ```console
 $ docker trust inspect --pretty example/trust-demo
@@ -67,7 +67,7 @@ Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
 Root Key:       3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
 ```
 
-### Remove a signer from multiple repos
+### Remove a signer from multiple repositories
 
 To remove an existing signer, `alice`, from multiple repositories:
 
@@ -154,9 +154,8 @@ Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d926
 Root Key:       3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
 ```
 
-`docker trust signer remove` removes signers to repositories on a best effort
+`docker trust signer remove` removes signers to repositories on a best effort basis.
-basis, so it will continue to remove the signer from subsequent repositories if
+It continues to remove the signer from subsequent repositories if one attempt fails:
-one attempt fails:
 
 ```console
 $ docker trust signer remove alice example/unauthorized example/authorized
@@ -170,4 +169,3 @@ Successfully removed alice from example/authorized
 
 Error removing signer from: example/unauthorized
 ```
-

docs/reference/commandline/volume_create.md

@@ -41,23 +41,23 @@ hello
 $ docker run -d -v hello:/world busybox ls /world
 ```
 
-The mount is created inside the container's `/world` directory. Docker does not
+The mount is created inside the container's `/world` directory. Docker doesn't
 support relative paths for mount points inside the container.
 
-Multiple containers can use the same volume in the same time period. This is
+Multiple containers can use the same volume. This is useful if two containers
-useful if two containers need access to shared data. For example, if one
+need access to shared data. For example, if one container writes and the other
-container writes and the other reads the data.
+reads the data.
 
-Volume names must be unique among drivers. This means you cannot use the same
+Volume names must be unique among drivers. This means you can't use the same
-volume name with two different drivers. If you attempt this `docker` returns an
+volume name with two different drivers. Attempting to create two volumes with
-error:
+the same name results in an error:
 
 ```console
 A volume named  "hello"  already exists with the "some-other" driver. Choose a different volume name.
 ```
 
 If you specify a volume name already in use on the current driver, Docker
-assumes you want to re-use the existing volume and does not return an error.
+assumes you want to re-use the existing volume and doesn't return an error.
 
 ### <a name="opt"></a> Driver-specific options (-o, --opt)
 
@@ -74,13 +74,12 @@ $ docker volume create --driver fake \
 These options are passed directly to the volume driver. Options for
 different volume drivers may do different things (or nothing at all).
 
-The built-in `local` driver on Windows does not support any options.
+The built-in `local` driver accepts no options on Windows. On Linux and with
-
+Docker Desktop, the `local` driver accepts options similar to the Linux `mount`
-The built-in `local` driver on Linux accepts options similar to the linux
+command. You can provide multiple options by passing the `--opt` flag multiple
-`mount` command. You can provide multiple options by passing the `--opt` flag
+times. Some `mount` options (such as the `o` option) can take a comma-separated
-multiple times. Some `mount` options (such as the `o` option) can take a
+list of options. Complete list of available mount options can be found
-comma-separated list of options. Complete list of available mount options can be
+[here](https://man7.org/linux/man-pages/man8/mount.8.html).
-found [here](https://man7.org/linux/man-pages/man8/mount.8.html).
 
 For example, the following creates a `tmpfs` volume called `foo` with a size of
 100 megabyte and `uid` of 1000.

docs/reference/commandline/volume_ls.md

@@ -52,7 +52,7 @@ than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "b
 
 The currently supported filters are:
 
-- dangling (boolean - true or false, 0 or 1)
+- dangling (Boolean - true or false, 0 or 1)
 - driver (a volume driver's name)
 - label (`label=<key>` or `label=<key>=<value>`)
 - name (a volume's name)
@@ -89,7 +89,7 @@ local               tyler
 The `label` filter matches volumes based on the presence of a `label` alone or
 a `label` and a value.
 
-First, let's create some volumes to illustrate this;
+First, create some volumes to illustrate this;
 
 ```console
 $ docker volume create the-doctor --label is-timelord=yes

docs/reference/commandline/volume_prune.md

@@ -51,7 +51,6 @@ which removes volumes with the specified labels. The other
 format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
 volumes without the specified labels.
 
-
 ## Related commands
 
 * [volume create](volume_create.md)

docs/reference/commandline/volume_rm.md

@@ -20,7 +20,7 @@ Remove one or more volumes. You cannot remove a volume that is in use by a conta
 
 ## Description
 
-Remove one or more volumes. You cannot remove a volume that is in use by a container.
+Remove one or more volumes. You can't remove a volume that's in use by a container.
 
 ## Examples
 

docs/reference/run.md

@@ -1207,7 +1207,7 @@ The health status is also displayed in the `docker ps` output.
 
 ### User
 
-The default user within a container is `root` (id = 0). You can set a default
+The default user within a container is `root` (uid = 0). You can set a default
 user to run the first process with the Dockerfile `USER` instruction. When
 starting a container, you can override the `USER` instruction by passing the
 `-u` option.
@@ -1240,4 +1240,4 @@ $ docker run --rm -w /my/workdir alpine pwd
 /my/workdir
 ```
 
-If the directory doesn't already exist in the container, it will be created.
+If the directory doesn't already exist in the container, it's created.