I have a docker daemon installed in UbuntuA machine.
I am using UbuntuB machine as the docker client.
I know that UbuntuA machine has the docker daemon installed and can do operations as well.
But I am not getting on which port it is running.
I am using this command :
sudo docker -H tcp://127.0.0.1:5555 -d &
and after this , when I use the following command:
sudo docker -H tcp://127.0.0.1:5555 info
I am getting an error : docker daemon not found .
How to find out on which port , the daemon is running?
Using the -H tcp://127.0.0.1:5555 docker daemon option on the UbuntuA machine will instruct docker to bind to the loopback network interface (127.0.0.1). As a result it will only accept connections originating from the UbuntuA machine.
If you want to accept connections incoming from any network interface use -H tcp://0.0.0.0:5555. Be aware that anyone that would be able to connect to your UbuntuA machine on port 5555 will be able to control your docker host. You need to protect it with firewall rules to allow only UbuntuB to connect to UbuntuA on port 5555.
Related
I am trying to run a small test server with MS SQL Server running on a Mac in a Linux docker container. Maybe I have the terminology wrong so please correct me if necessary:
host - the macOS desktop with docker installed (ip 10.0.1.73)
container - the Linux instance running in the docker container with SQL Server running in it
remote desktop - another computer on the local area network trying to connect to SQL Server
I followed the MS installation instructions and everything seems to be running fine, except I can't connect to SQL Server from the Remote Desktop
I can connect to the docker host(10.0.1.73) and can ping the IP address
I can connect to SQL Server from the docker host and see the databases etc.
I used the following command to create the docker container
sudo docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=<XXXXXX>" -p 1433:1433 --name sqlserver1 -d microsoft/mssql-server-linux:2017-latest
Thinking that the -p 1433:1433 would map the linux port to the macOS host port and allow the remote computer to access the docker container when connecting to that port on the macOS host from the local area network
This is not working and I assume this may be to do with the network routing on the macOS host
Most solutions I have seen seem to indicate that one should use the VirtualBox UI to modify the network settings - but I don't have that installed
The others seem to have pages and pages of command line instructions that are required
Is there an easy solution somewhere I have missed?
EDIT:
Some more research and I found this explanation about how by default the Docker networking is set up for single host networking. Good explanation for anyone else struggling with the Docker concepts.
It is also worth reading up about the differences between docker containers and virtual machines...
https://youtu.be/Js_140tDlVI
Still trying to find some explanation on multi host networking.
try disabeling the firewall on the host you want to connect to.
port 1433 will be forwarded to the docker container, but your host (MAC) should have port 1433 open to be able to connect to your host.
Using NAT:
Assign the target address to your host interface:
sudo ifconfig en1 alias 10.0.1.74/21 up
Create the docker container and map the port to the second IP address assigned to the host interface
sudo docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=<XXXXXXXXX>" -p 10.0.1.74:1433:1433 --name sqlserver1 -d microsoft/mssql-server-linux:2017-latest
I have an allowed IP range to configure dockers and I want to export docker daemon on a port?
I have exposed it using the standard way on 2375 port the docker connects on docker -H tcp://localhost:2375 ps
but when I connect using ip address or hostname it doesnot work
docker -H tcp://hostname:2375 ps
This command doesn't work
You need to start the docker daemon to listen on port 2375, so something like:
dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
then you need to tell the docker client how to connect to the server. A common way to do so is using the DOCKER_HOST environment variable. Like
export DOCKER_HOST=tcp://192.168.99.101:2375
docker info
Note, you need to change 192.168.99.101 to the IP address of your server.
You also need to make sure that the server does not block port 2375 with its firewall.
I see various instances of ports 2375 and 4243 being used for seemingly the same thing while searching the internet. Also, my local machine requires I use 2375 to connect whereas when I push it to our CI server it requires it be set to 4243.
What does Docker use these ports for and how do they differ?
The docker socket can be configured on any port with the dockerd -H option. Common docker ports that I see include:
2375: unencrypted docker socket, remote root passwordless access to the host
2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port
2377: swarm mode socket, for swarm managers, not for docker clients
5000: docker registry service
4789 and 7946: overlay networking
Only the first two are set with dockerd -H, swarm mode can be configured as part of docker swarm init --listen-addr or docker swarm join --listen-addr.
I strongly recommend disabling the 2375 port and securing your docker socket. It's trivial to remotely exploit this port to gain full root access without a password from remote. The command to do so is as simple as:
docker -H $your_ip:2375 run -it --rm \
--privileged -v /:/rootfs --net host --pid host busybox
That can be run on any machine with a docker client to give someone a root shell on your host with the full filesystem available under /rootfs, your network visible under ip a, and every process visible under ps -ef.
To setup TLS security on the docker socket, see these instructions. https://docs.docker.com/engine/security/https/
Im running Docker Desktop for Windows (hyper V) and I need to access docker daemon from the container via tcp. It is possible to connect to it from the host like:
curl -v 127.0.0.1:2375/info but not possible to access it from a container using my host IP address. Maybe someone knows how to do that or at least how to ssh to that docker vm, for example it is possible to ssh in to it on mac by executing:
screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty
I've figured how to do that using socat tool which takes docket.socket and proxy TCP calls to it.
So I've launched container with a socat which mount docker.sock since it is available inside of a VM and expose 2375 port:
docker run -p 2375:2375 -v /var/run/docker.sock:/var/run/docker.sock codenvy/socat -d -d TCP-L:2375,fork UNIX:/var/run/docker.sock
With that now, I'm able to access docker daemon API through socat container.
I have added
DOCKER_OPTS="-H tcp://0.0.0.0:2375"
to /etc/default/docker to make the Docker API accessible on my host machine (I'm running Docker in Virtualbox on an Ubuntu VM). However, when I try to run any Docker commands now, I just get this error message:
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
I have tried sudo service docker restart, and restarted the machine, but nothing has worked. Any idea what the problem is?
To use the daemon through the tcp socket the option -H tcp://0.0.0.0:2375 should be added to the command docker (both for the daemon and run).
To access the daemon with its default unix socket make sure that the Docker daemon is also started with the option -H=unix:///var/run/docker.sock.
Note that using the tcp is dangerous if you do not trust the network you are in. Here is the doc from the man page:
-H, --host=[unix:///var/run/docker.sock]: tcp://[host]:[port][path] to bind or unix://[/path/to/socket] to use.
The socket(s) to bind to in daemon mode specified using one or more
tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
If the tcp port is not specified, then it will default to either 2375 when
--tls is off, or 2376 when --tls is on, or --tlsverify is specified.