【Docker】Docker Daemon

Posted by 西维蜀黍 on 2022-04-03, Last Modified on 2022-04-05

Setup Docker Daemon for Remote Connection

By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using SSH or a TLS (HTTPS) socket.

# how to find the path of daemon.json
$  ps auxww | grep docker
root         921  0.0  2.0 1570256 82092 ?       Ssl  17:06   0:07 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/1767/config/daemon.json

$ sudo vim /var/snap/docker/1767/config/daemon.json
{
    "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}

# restart the Dokcer Daemon
$ sudo snap restart docker.dockerd
# or
$ sudo systemctl restart docker

# test your daemon's port
$ netstat -an | grep LISTEN  | grep 2375
# or
$ docker --debug  --host tcp://localhost:2375

# view logs
$ sudo snap logs docker.dockerd

Deploy a plain HTTP registry

$ docker info
...
Insecure Registries:
 127.0.0.0/8

Means I haven’t set the Docker Daemon right. Notice these few lines:

Insecure Registries:
 127.0.0.0/8

Try to add this line to Docker’s daemon.json file and restart the Docker Daemon:

"insecure-registries":["0.0.0.0:2375"]
# how to find the path of daemon.json
$  ps auxww | grep docker
root         921  0.0  2.0 1570256 82092 ?       Ssl  17:06   0:07 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/1767/config/daemon.json

# restart the Dokcer Daemon
$ sudo snap restart docker.dockerd
# or
$ sudo systemctl restart docker

# test your daemon's port
$ netstat -an | grep LISTEN  | grep 2375
# or
$ docker --debug  --host tcp://localhost:2375

# view logs
$ sudo snap logs docker.dockerd

Ref

Connect to Remote Dokcer Daecom

Via HTTPS

# Linux/Mac
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://your-remote-server.org:2376"
export DOCKER_CERT_PATH="/home/me/docker-tls"

# or
$ docker --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \
    --tlskey=key.pem \
    -H=$HOST:2376 version

Be sure that your DOCKER_CERT_PATH directory contains the following files:

  • ca.pem (CA certificate)
  • cert.pem (client certificate)
  • key.pem (client’s private key)

How to generate certs: https://docs.docker.com/engine/security/protect-access/#create-a-ca-server-and-client-keys-with-openssl

Via SSH

$ export DOCKER_HOST="ssh://sw@192.168.18.10:31565" docker info

# 注意,如果在docker-machine中连接,会出现以下错误
$ docker-machine create --driver none --url=ssh://192.168.18.10 default4
Running pre-create checks...
Creating machine...
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env default4
$ docker-machine ls
NAME       ACTIVE   DRIVER       STATE     URL                   SWARM   DOCKER    ERRORS
default4   -        none         Running   ssh://192.168.18.10           Unknown   Unable to query docker version: Get "ssh://192.168.18.10/v1.15/version": unsupported protocol scheme "ssh"

Via HTTP

$ DOCKER_HOST="tcp://192.168.18.10:2375" docker ps

$ DOCKER_HOST="tcp://192.168.18.10:2375" docker run hello-world

Via curl

$ curl https://$HOST:2376/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Skip TLS Verification

Test Docker Daemon

$ echo -e "GET /_ping HTTP/1.1\r\n" | nc 192.168.18.168 2376
HTTP/1.0 400 Bad Request

Client sent an HTTP request to an HTTPS server.

# or
$ curl <ip>:<port>/v1.38/containers/json 
# e.g.,
$ curl 192.168.18.10:2375/v1.38/containers/json 

# Via HTTPS
$ curl https://192.168.18.10:2375/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Connecting to the secure Docker port using curl

To use curl to make test API requests, you need to use three extra command line flags:

$ curl https://$HOST:2376/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Troubleshooting

server gave HTTP response to HTTPS client

Error

$ docker-machine ls
NAME       ACTIVE   DRIVER       STATE     URL                        SWARM   DOCKER    ERRORS
default3   -        none         Running   tcp://192.168.18.10:2375           Unknown   Unable to query docker version: Get "https://192.168.18.10:2375/v1.15/version": http: server gave HTTP response to HTTPS client

Solution 1 - 在 Docker Daemon 添加 HTTP的支持

Solution 2- Client 通过HTTP连接 Docker Daemon

Reference