I have added
DOCKER_OPTS="-H tcp://0.0.0.0:2375"
to /etc/default/docker to make the Docker API accessible on my host machine (I'm running Docker in Virtualbox on an Ubuntu VM). However, when I try to run any Docker commands now, I just get this error message:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
I have tried sudo service docker restart, and restarted the machine, but nothing has worked. Any idea what the problem is?
To use the daemon through the tcp socket the option -H tcp://0.0.0.0:2375 should be added to the command docker (both for the daemon and run).
To access the daemon with its default unix socket make sure that the Docker daemon is also started with the option -H=unix:///var/run/docker.sock.
Note that using the tcp is dangerous if you do not trust the network you are in. Here is the doc from the man page:
-H, --host=[unix:///var/run/docker.sock]: tcp://[host]:[port][path] to bind or unix://[/path/to/socket] to use.
The socket(s) to bind to in daemon mode specified using one or more
tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
If the tcp port is not specified, then it will default to either 2375 when
--tls is off, or 2376 when --tls is on, or --tlsverify is specified.
Related
I see various instances of ports 2375 and 4243 being used for seemingly the same thing while searching the internet. Also, my local machine requires I use 2375 to connect whereas when I push it to our CI server it requires it be set to 4243.
What does Docker use these ports for and how do they differ?
The docker socket can be configured on any port with the dockerd -H option. Common docker ports that I see include:
2375: unencrypted docker socket, remote root passwordless access to the host
2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port
2377: swarm mode socket, for swarm managers, not for docker clients
5000: docker registry service
4789 and 7946: overlay networking
Only the first two are set with dockerd -H, swarm mode can be configured as part of docker swarm init --listen-addr or docker swarm join --listen-addr.
I strongly recommend disabling the 2375 port and securing your docker socket. It's trivial to remotely exploit this port to gain full root access without a password from remote. The command to do so is as simple as:
docker -H $your_ip:2375 run -it --rm \
--privileged -v /:/rootfs --net host --pid host busybox
That can be run on any machine with a docker client to give someone a root shell on your host with the full filesystem available under /rootfs, your network visible under ip a, and every process visible under ps -ef.
To setup TLS security on the docker socket, see these instructions. https://docs.docker.com/engine/security/https/
I have following error when I try to use docker on my Mac:
FATA[0000] Get http:///var/run/docker.sock/v1.17/version: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
It doesn't matter if I use sudo or not... It doesn't matter which docker command I use or if I use brew or boot2docker to install it...
What should I do to resolve this issue ?
The Docker daemon does not run natively on a Mac. Until it does, there will never be a socket for communicating with the daemon at /var/run/. You must therefore use TCP to communicate with the daemon because the daemon must be running on another machine (or a VM). Unix sockets only talk to processes running on the local machine. The unix socket method is very secure since it is only on the local machine and you must be root (or in the docker group) to talk with this socket.
Insecure (but easy) TCP Client-Server Communications
You can run the Docker Engine in a very insecure way by setting some environment variables on the client end and starting your daemon in an insecure way on the daemon end:
Client: substitute the machine's host IP and port
DOCKER_HOST=tcp://host:2375
DOCKER_TLS_VERIFY=0
Daemon
docker -d -H tcp://0.0.0.0:2375
(see also https://docs.docker.com/reference/commandline/cli/#daemon-socket-option)
Secure TCP Communications
Since you probably don't want random people talking to your docker daemon over the internet, you should run with TLS enabled. That's complicated, but all the steps are listed in the docs. boot2docker and kitematic on Macs hides this complexity by setting up the TLS certificates for you and setting the environment variables needed to find the daemon.
I just installed Docker on mu Ubuntu 14.10 64 bit OS and I followed the steps to create the necessary certificates and keys so that I can secure my docker http remote connections. When I tried to issue the following command,
sudo docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=x.x.x.x:2376 version
I get to see the following error message:
Cannot connect to the Docker daemon. Is 'docker -d' running on this host
The -H=x.x.x.x is the host as I see when I did a ifconfig and found the host from the docker0 entry that was listed.
Please help me identify why I'm not able to do anything with my daemon.
Did you change the options on the daemon itself? Paraphrasing the docs:
You can listen on port 2376 on all network interfaces with -H tcp://0.0.0.0:2376, or on a particular network interface using its IP address: -H tcp://192.168.59.103:2376.
To do this you could edit /etc/init/docker.conf and update the DOCKER_OPTS variable
Sometime ago i had this issue :
"Cannot connect to the Docker daemon at tcp://127.0.0.1:2376. Is the docker daemon running?"
Looking an your question, you did not specify if you are working on Ubuntu WSL (Bash).
Regardless of your env configuration.
Looking for the file ".bashrc" in your
add the following to it
export DOCKER_HOST=tcp://192.168.59.103:2376
Happy Devops!
I have installed Ubuntu and Docker. I am trying to launch Raik container:
$ DOCKER_RIAK_AUTOMATIC_CLUSTERING=1 DOCKER_RAIK_CLUSTER_SIZE=5 DOCKER_RIAK_BACKEND=leveldb make start-cluster ./bin/start
and get the error message:
It looks like the environment variable DOCKER_HOST has not been set.
The Riak cluster cannot be started unless this has been set
appropriately. For example:
export DOCKER_HOST="tcp://127.0.0.1:2375"
If I set
export DOCKER_HOST="tcp://127.0.0.1:2375"
all my other containers stop working and said, that can not find the Docker daemon.
It looks like my Docker damon use other than 2375 port. How can I check it ?
By default, the docker daemon will use the unix socket unix:///var/run/docker.sock (you can check this is the case for you by doing a sudo netstat -tunlp and note that there is no docker daemon process listening on any ports). It's recommended to keep this setting for security reasons but it sounds like Riak requires the daemon to be running on a TCP socket.
To start the docker daemon with a TCP socket that anybody can connect to, use the -H option:
sudo docker -H 0.0.0.0:2375 -d &
Warning: This means machines that can talk to the daemon through that TCP socket can get root access to your host machine.
Related docs:
http://basho.com/posts/technical/running-riak-in-docker/
https://docs.docker.com/install/linux/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections
Prepare extra configuration file. Create a file named /etc/systemd/system/docker.service.d/docker.conf. Inside the file docker.conf, paste below content:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
Note that if there is no directory like docker.service.d or a file named docker.conf then you should create it.
Restart Docker. After saving this file, reload the configuration by systemctl daemon-reload and restart Docker by systemctl restart docker.service.
Check your Docker daemon. After restarting docker service, you can see the port in the output of systemctl status docker.service
like /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock.
Hope this may help
Thank you!
Reference docs of docker: https://docs.docker.com/install/linux/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections
There are 2 ways in configuring the docker daemon port
1) Configuring at /etc/default/docker file:
DOCKER_OPTS="-H tcp://127.0.0.1:5000 -H unix:///var/run/docker.sock"
2) Configuring at /etc/docker/daemon.json:
{
"debug": true,
"hosts": ["tcp://127.0.0.1:5000", "unix:///var/run/docker.sock"]
}
If the docker default socket is not configured Docker will wait for infinite period.i.e
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
NOTE : BUT DON'T CONFIGURE IN BOTH THE CONFIGURATION FILES, the following error may occur :
Waiting for /var/run/docker.sock
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: hosts: (from flag: [tcp://127.0.0.1:5000 unix:///var/run/docker.sock], from file: tcp://127.0.0.1:5000)
The reason for adding both the user port[ tcp://127.0.0.1:5000] and default docker socket[unix:///var/run/docker.sock] is that the user port enables the access to the docker APIs whereas the default socket enables the CLI. In case the default port[unix:///var/run/docker.sock] is not mentioned in /etc/default/docker file the following error may occur:
# docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
This error is not because that the docker is not running, but because of default docker socket is not enabled.
Once the configuration is enabled restart the docker service and verify the docker port is enabled or not:
# netstat -tunlp | grep -i 5000
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 31661/dockerd
Applicable for Docker Version 17.04, may vary with different versions of docker.
Since I also had the same problem of "How to detect a docker daemon port" however I had on OSX and after little digging in I found the answer. I thought to share the answer here for people coming from osx.
If you visit known-issues from docker for mac and github issue, you will find that by default the docker daemon only listens on unix socket /var/run/docker.sock and not on tcp. The default port for docker is 2375 (unencrypted) and 2376(encrypted) communication over tcp(although you can choose any other port).
On OSX its not straight forward to run the daemon on tcp port. To do this one way is to use socat container to redirect the Docker API exposed on the unix domain socket to the host port on OSX.
docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 bobrik/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock
and then
export DOCKER_HOST=tcp://localhost:2375
However for local client on mac os you don't need to export DOCKER_HOST variable to test the api.
If you run ps -aux | grep dockerd you should see the endpoints it is running on.
Try add -H tcp://0.0.0.0:2375(at end of Execstart line) instead of -H 0.0.0.0:2375.
I have a docker daemon installed in UbuntuA machine.
I am using UbuntuB machine as the docker client.
I know that UbuntuA machine has the docker daemon installed and can do operations as well.
But I am not getting on which port it is running.
I am using this command :
sudo docker -H tcp://127.0.0.1:5555 -d &
and after this , when I use the following command:
sudo docker -H tcp://127.0.0.1:5555 info
I am getting an error : docker daemon not found .
How to find out on which port , the daemon is running?
Using the -H tcp://127.0.0.1:5555 docker daemon option on the UbuntuA machine will instruct docker to bind to the loopback network interface (127.0.0.1). As a result it will only accept connections originating from the UbuntuA machine.
If you want to accept connections incoming from any network interface use -H tcp://0.0.0.0:5555. Be aware that anyone that would be able to connect to your UbuntuA machine on port 5555 will be able to control your docker host. You need to protect it with firewall rules to allow only UbuntuB to connect to UbuntuA on port 5555.