Develop Reference

Starting container failed: subnet sandbox join failed for \"10.255.0.0/16\"

I am trying to port my "normal" container I run using:
docker run -d -p 8001:80 myImage:20181011123308
to a docker service, so I can use docker secrets. My service is running on a linux machine and should be exposed to the internet with port 8001:
docker service create --with-registry-auth --network my-overlay --name kinoheld --publish published=8001,target=80 --tty myImage:20181011123308
After a long search I found, that docker is logging the following error:
Oct 11 16:35:32 ns3311367.ip-5-135-162.eu dockerd[1621]:
time="2018-10-11T16:35:32.578017228+02:00" level=error msg="fatal task
error" error="starting container failed: subnet sandbox join failed
for \"10.255.0.0/16\": error creating vxlan interface: operation not
supported" module="node/agent/taskmanager"
node.id=kafpbh873owp6e3us4zx1gghg service.id=rel9onyvcc82rrk7jsho9pgnz
task.id=whnjff89hr7d6n4phvd1ead4d
But I don't know what the error means exactly and how to resolve it. Is anyone able to help me with this error and can tell me, what the problem might be?
I am currently running docker version 17.05.0-ce
My debian host is running linux:
uname -r
4.9.87-xxxx-std-ipv6-64

I was a problem with the installed linux kernel.
The VPS / root server hoster OVH does use a custom kernel, which did not have activated vxlan support.

From https://github.com/moby/libnetwork/issues/1765#issuecomment-464223535
Check if you have vx- interface on host:
ip link show | grep vx
If so, delete them, it worked for me:
ip link delete vx-xxxx

How do I find the Docker REST API URL?

I have installed the Docker build step plugin for Jenkins.
The documentation is telling me:
Name : Choose a name for this Docker cloud provider
Docker URL: The URL to use to access your Docker server API (e.g: http://172.16.42.43:4243)
How can I find my URL to the REST API (I have Docker installed on my host)?

If you are on Linux and need to connect to Docker API on the local machine, its URL is probably unix:///var/run/docker.sock, like it is mentioned in documentation: Develop with Docker Engine SDKs and API
By default the Docker daemon listens on unix:///var/run/docker.sock and the client must have root access to interact with the daemon. If a group named docker exists on your system, docker applies ownership of the socket to the group.
This might be helpful if you are connecting to Docker from a JetBrains IDE.

Here are two approaches.
How do I access the Docker REST API remotely?
Warning: After this setup your Docker REST API port (in this case 1111) is exposed to remote
access.
Here is how I enabled it on Ubuntu 16.04 (Xenial Xerus).
Edit the docker service file (it is better to avoid directly editing /lib/systemd/system/docker.service as it will be replaced on upgrades)
sudo systemctl edit docker.service
Add the following content
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:1111
For docker 18+, the content is a bit different:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:1111
Save the modified file. Here I used port 1111, but any free port can be used.
Make sure the Docker service notices the modified configuration:
systemctl daemon-reload
Restart the Docker service:
sudo service docker restart
Test
curl http://localhost:1111/version
See the result
{"Version":"17.05.0-ce","ApiVersion":"1.29","MinAPIVersion":"1.12","GitCommit":"89658be","GoVersion":"go1.7.5","Os":"linux","Arch":"amd64","KernelVersion":"4.15.0-20-generic","BuildTime":"2017-05-04T22:10:54.638119411+00:00"}
Now you can use the REST API.
How do I access the Docker REST API through a socket (from localhost)?
Connect the internal Unix socket somewhat like this,
Using curl
curl --unix-socket /var/run/docker.sock http:/localhost/version
And here is how to do it using PHP
$fs = fsockopen('/var/run/docker.sock');
fwrite($fs, "GET / HTTP/1.1\r\nHOST: http:/images/json\r\n\r\n");
while (!feof($fs)) {
print fread($fs,256);
}
In PHP 7 you can use curl_setopt with the CURLOPT_UNIX_SOCKET_PATH option.

It depends on your host, but look for /etc/default/docker or /var/lib/boot2docker/profile (for Docker Machine hosts using a boot2docker VM).
You will see the port used by the docker daemon, for instance:
DOCKER_OPTS="-H unix:// -H tcp://0.0.0.0:2375"
^^^^^
Then get the IP address of the machine hosting your Docker daemon.
(With a Docker Machine created host, that would be: docker-machine ip <yourmachine>.)
The URL to use is the combination of those the IP address and the port.

If you are on windows:
npipe:////./pipe/docker_engine
source: https://docs.docker.com/docker-for-windows/faqs/#how-do-i-connect-to-the-remote-docker-engine-api

How to access Docker daemon through tcp-socker?

I have added
DOCKER_OPTS="-H tcp://0.0.0.0:2375"
to /etc/default/docker to make the Docker API accessible on my host machine (I'm running Docker in Virtualbox on an Ubuntu VM). However, when I try to run any Docker commands now, I just get this error message:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
I have tried sudo service docker restart, and restarted the machine, but nothing has worked. Any idea what the problem is?

To use the daemon through the tcp socket the option -H tcp://0.0.0.0:2375 should be added to the command docker (both for the daemon and run).
To access the daemon with its default unix socket make sure that the Docker daemon is also started with the option -H=unix:///var/run/docker.sock.
Note that using the tcp is dangerous if you do not trust the network you are in. Here is the doc from the man page:
-H, --host=[unix:///var/run/docker.sock]: tcp://[host]:[port][path] to bind or unix://[/path/to/socket] to use.
The socket(s) to bind to in daemon mode specified using one or more
tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
If the tcp port is not specified, then it will default to either 2375 when
--tls is off, or 2376 when --tls is on, or --tlsverify is specified.

How to access Docker container's web server from host

I'm running under boot2docker 1.3.1.
I have a Docker container running a web server via uwsgi --http :8080.
If I attach to the container I can browse the web site using lynx http://127.0.0.1:8080 so I know the server is working.
I ran my container with:
$ docker run -itP --expose 8080 uwsgi_app:0.2
It has the following details:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5248ad86596d uwsgi_app:0.2 "bash" 11 minutes ago Up 11 minutes 0.0.0.0:49159->8080/tcp cocky_hypatia
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' 5248ad86596d
172.17.0.107
I thought I could access that web site from my host by going to http://172.17.0.107:49159.
This does not work. I just see 'connecting...' in Chrome, getting nowhere.
What am I doing wrong?

Extending Anentropic's answer: boot2docker is the old app for Mac and Windows, docker-machine is the new one.
Firstly, list your machines:
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM
default * virtualbox Running tcp://192.168.99.100:2376
Then select one of the machines (the default one is called default) and:
$ docker-machine ip default
192.168.99.100

Ok, stupid me, I found the answer in the docs for boot2docker
https://docs.docker.com/installation/mac/#container-port-redirection
I needed to use the ip address of the boot2docker vm, rather than the ip of the container, i.e.
$ boot2docker ip
192.168.59.103
and I am able to browse my site from the host at http://192.168.59.103:49159/
I did not need to add any route on the host

To find the IP address of your container, you should need NO additional installs:
docker inspect <container>
This provides a wealth of info. grep it for the IPAddress.

You could use boot2docker port mapping option -L, as described here.
So, in your case it would be
boot2docker ssh -L 0.0.0.0:8080:localhost:8080
and then
docker run -it -p 8080:8080 uwsgi_app:0.2
That way, you do not have to use boot2docker's IP address: you can use localhost or your own IP address (and your docker container can be accessed from outside).

Boot2docker is outdated, but you may still have this problem on Docker for Windows or Mac, even though the same container works on Linux. One symptom is that trying to access a page on the server inside the container gives the error "didn't send any data" as opposed to "could not connect."
If so, it may be because on Win/Mac the container host has its own IP, it's not localhost as it is on linux. Try running Django on IP 0.0.0.0, meaning accept connections from all IPs, like this:
python manage.py runserver 0.0.0.0:8000
Alternatively, if you need to make sure the server only responds to local requests (such as from your local proxy like nginx, apache, or gunicorn) you can use the host IP returned by hostname -i.
And make sure you are using the -p port forwarding option correctly in the docker run command.
Assuming all is well, you should be able to access your server at http://localhost in a browser running on the host machine.

docker build -t {imagename} .
docker build -t api-rest-test .
docker run -dp {localport}:{exposeport} image:name
docker run -dp 8080:8080 api-rest-test:latest
make sure you are using the same port for yourlocalport and exposeport
then you can access your rest service in your local machine http://localhost:8080

[EDIT: original version was ignoring the -P in question]
If you want to get to the containers without having to 'publish' the port (which changes its number)
there is a good run-through here.
The key is this line:
sudo route -n add 172.17.0.0/16 172.16.0.11
which tells the Mac how to route to the private network inside the VirtualBox VM that the Docker containers are on.

Had the same issue and in my case i was using AWS EC2 instance. I was trying with the container IP which did not work. Then I used the actual public IP of the AWS host as the IP, which worked.

How to troubleshoot the issue on hosting application on local host browser
For this launch the container with below command, in my case it was:
[root#centoslab3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1b81d8a0e3e1 centos:baseweb "/bin/bash" 8 minutes ago Exited (0) 24 seconds ago webtest
[root#centoslab3 ~]# docker run --name=atul -v /root/dockertest:/var/www/html -i -t -p 5000:8000 centos:baseweb /bin/bash
In the httpd configuration:
[root#adb28b08c9ed /]# cd /etc/httpd/conf
[root#adb28b08c9ed conf]# ll
total 52
-rw-r--r--. 1 root root 34419 Sep 19 15:16 httpd.conf
edit the file with the port 8000 in listner and update the container ip and port under Servername.
Restart the httpd service and you are done.
Hope this helps

How to detect a docker daemon port

I have installed Ubuntu and Docker. I am trying to launch Raik container:
$ DOCKER_RIAK_AUTOMATIC_CLUSTERING=1 DOCKER_RAIK_CLUSTER_SIZE=5 DOCKER_RIAK_BACKEND=leveldb make start-cluster ./bin/start
and get the error message:
It looks like the environment variable DOCKER_HOST has not been set.
The Riak cluster cannot be started unless this has been set
appropriately. For example:
export DOCKER_HOST="tcp://127.0.0.1:2375"
If I set
export DOCKER_HOST="tcp://127.0.0.1:2375"
all my other containers stop working and said, that can not find the Docker daemon.
It looks like my Docker damon use other than 2375 port. How can I check it ?

By default, the docker daemon will use the unix socket unix:///var/run/docker.sock (you can check this is the case for you by doing a sudo netstat -tunlp and note that there is no docker daemon process listening on any ports). It's recommended to keep this setting for security reasons but it sounds like Riak requires the daemon to be running on a TCP socket.
To start the docker daemon with a TCP socket that anybody can connect to, use the -H option:
sudo docker -H 0.0.0.0:2375 -d &
Warning: This means machines that can talk to the daemon through that TCP socket can get root access to your host machine.
Related docs:
http://basho.com/posts/technical/running-riak-in-docker/
https://docs.docker.com/install/linux/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections

Prepare extra configuration file. Create a file named /etc/systemd/system/docker.service.d/docker.conf. Inside the file docker.conf, paste below content:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
Note that if there is no directory like docker.service.d or a file named docker.conf then you should create it.
Restart Docker. After saving this file, reload the configuration by systemctl daemon-reload and restart Docker by systemctl restart docker.service.
Check your Docker daemon. After restarting docker service, you can see the port in the output of systemctl status docker.service
like /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock.
Hope this may help
Thank you!

Reference docs of docker: https://docs.docker.com/install/linux/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections
There are 2 ways in configuring the docker daemon port
1) Configuring at /etc/default/docker file:
DOCKER_OPTS="-H tcp://127.0.0.1:5000 -H unix:///var/run/docker.sock"
2) Configuring at /etc/docker/daemon.json:
{
"debug": true,
"hosts": ["tcp://127.0.0.1:5000", "unix:///var/run/docker.sock"]
}
If the docker default socket is not configured Docker will wait for infinite period.i.e
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
Waiting for /var/run/docker.sock
NOTE : BUT DON'T CONFIGURE IN BOTH THE CONFIGURATION FILES, the following error may occur :
Waiting for /var/run/docker.sock
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: hosts: (from flag: [tcp://127.0.0.1:5000 unix:///var/run/docker.sock], from file: tcp://127.0.0.1:5000)
The reason for adding both the user port[ tcp://127.0.0.1:5000] and default docker socket[unix:///var/run/docker.sock] is that the user port enables the access to the docker APIs whereas the default socket enables the CLI. In case the default port[unix:///var/run/docker.sock] is not mentioned in /etc/default/docker file the following error may occur:
# docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
This error is not because that the docker is not running, but because of default docker socket is not enabled.
Once the configuration is enabled restart the docker service and verify the docker port is enabled or not:
# netstat -tunlp | grep -i 5000
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 31661/dockerd
Applicable for Docker Version 17.04, may vary with different versions of docker.

Since I also had the same problem of "How to detect a docker daemon port" however I had on OSX and after little digging in I found the answer. I thought to share the answer here for people coming from osx.
If you visit known-issues from docker for mac and github issue, you will find that by default the docker daemon only listens on unix socket /var/run/docker.sock and not on tcp. The default port for docker is 2375 (unencrypted) and 2376(encrypted) communication over tcp(although you can choose any other port).
On OSX its not straight forward to run the daemon on tcp port. To do this one way is to use socat container to redirect the Docker API exposed on the unix domain socket to the host port on OSX.
docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 bobrik/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock
and then
export DOCKER_HOST=tcp://localhost:2375
However for local client on mac os you don't need to export DOCKER_HOST variable to test the api.

If you run ps -aux | grep dockerd you should see the endpoints it is running on.

Try add -H tcp://0.0.0.0:2375(at end of Execstart line) instead of -H 0.0.0.0:2375.