【Docker】Docker Daemon

Posted by 西维蜀黍 on 2022-04-03, Last Modified on 2023-05-02

Start

# init docker daemon
$ sudo vim /etc/docker/daemon.json
{
  "debug": true,
  "tls": false,
  "hosts":["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
$ sudo dockerd

Refer to https://docs.docker.com/engine/reference/commandline/dockerd/

Setup Docker Daemon for Remote Connection

By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using SSH or a TLS (HTTPS) socket.

# how to find the path of daemon.json
$  ps auxww | grep docker
root         921  0.0  2.0 1570256 82092 ?       Ssl  17:06   0:07 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/1767/config/daemon.json

$ sudo vim /var/snap/docker/1767/config/daemon.json
{
    "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}

# restart the Dokcer Daemon
$ sudo snap restart docker.dockerd
# or
$ sudo systemctl restart docker

# test your daemon's port
$ netstat -an | grep LISTEN  | grep 2375
# or
$ docker --debug  --host tcp://localhost:2375

# view logs
$ sudo snap logs docker.dockerd

Default Path of Config File

To configure the Docker daemon using a JSON file, create a file at /etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows. On MacOS go to the whale in the taskbar > Preferences > Daemon > Advanced.

The default location of the configuration file on Linux is /etc/docker/daemon.json. The --config-file flag can be used to specify a non-default location.

Config File

https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

Deploy a plain HTTP registry

$ docker info
...
Insecure Registries:
 127.0.0.0/8

Means I haven’t set the Docker Daemon right. Notice these few lines:

Insecure Registries:
 127.0.0.0/8

Try to add this line to Docker’s daemon.json file and restart the Docker Daemon:

"insecure-registries":["0.0.0.0:2375"]
# how to find the path of daemon.json
$  ps auxww | grep docker
root         921  0.0  2.0 1570256 82092 ?       Ssl  17:06   0:07 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/1767/config/daemon.json

# restart the Dokcer Daemon
$ sudo snap restart docker.dockerd
# or
$ sudo systemctl restart docker

# test your daemon's port
$ netstat -an | grep LISTEN  | grep 2375
# or
$ docker --debug  --host tcp://localhost:2375

# view logs
$ sudo snap logs docker.dockerd

Ref

Connect to Remote Dokcer Daecom

Via HTTPS

# Linux/Mac
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://your-remote-server.org:2376"
export DOCKER_CERT_PATH="/home/me/docker-tls"

# or
$ docker --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \
    --tlskey=key.pem \
    -H=$HOST:2376 version

Be sure that your DOCKER_CERT_PATH directory contains the following files:

  • ca.pem (CA certificate)
  • cert.pem (client certificate)
  • key.pem (client’s private key)

How to generate certs: https://docs.docker.com/engine/security/protect-access/#create-a-ca-server-and-client-keys-with-openssl

Via SSH

$ export DOCKER_HOST="ssh://sw@192.168.18.10:31565" docker info

# 注意,如果在docker-machine中连接,会出现以下错误
$ docker-machine create --driver none --url=ssh://192.168.18.10 default4
Running pre-create checks...
Creating machine...
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env default4
$ docker-machine ls
NAME       ACTIVE   DRIVER       STATE     URL                   SWARM   DOCKER    ERRORS
default4   -        none         Running   ssh://192.168.18.10           Unknown   Unable to query docker version: Get "ssh://192.168.18.10/v1.15/version": unsupported protocol scheme "ssh"

Via HTTP

$ DOCKER_HOST="tcp://192.168.18.10:2375" docker ps

$ DOCKER_HOST="tcp://192.168.18.10:2375" docker run hello-world

Via curl

$ curl https://$HOST:2376/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Skip TLS Verification

Test Docker Daemon

$ echo -e "GET /_ping HTTP/1.1\r\n" | nc 192.168.18.168 2376
HTTP/1.0 400 Bad Request

Client sent an HTTP request to an HTTPS server.

# or
$ curl <ip>:<port>/v1.38/containers/json 
# e.g.,
$ curl 192.168.18.10:2375/v1.38/containers/json 

# Via HTTPS
$ curl https://192.168.18.10:2375/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Connecting to the secure Docker port using curl

To use curl to make test API requests, you need to use three extra command line flags:

$ curl https://$HOST:2376/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Troubleshooting

server gave HTTP response to HTTPS client

Error

$ docker-machine ls
NAME       ACTIVE   DRIVER       STATE     URL                        SWARM   DOCKER    ERRORS
default3   -        none         Running   tcp://192.168.18.10:2375           Unknown   Unable to query docker version: Get "https://192.168.18.10:2375/v1.15/version": http: server gave HTTP response to HTTPS client

Solution 1 - 在 Docker Daemon 添加 HTTP的支持

Solution 2- Client 通过HTTP连接 Docker Daemon

Try to add this line to Docker’s daemon.json file and restart the Docker Daemon: (find the file in C:\ProgramData\Docker\config\)

"insecure-registries":["192.168.99.100:5000"]

Refer to https://stackoverflow.com/questions/49674004/docker-repository-server-gave-http-response-to-https-client

View Logs

The daemon logs may help you diagnose problems. The logs may be saved in one of a few locations, depending on the operating system configuration and the logging subsystem used:

Operating system Location
Linux Use the command journalctl -xu docker.service (or read /var/log/syslog or /var/log/messages, depending on your Linux Distribution)
macOS (dockerd logs) ~/Library/Containers/com.docker.docker/Data/log/vm/dockerd.log
macOS (containerd logs) ~/Library/Containers/com.docker.docker/Data/log/vm/containerd.log

Debug

Enable debugging

There are two ways to enable debugging. The recommended approach is to set the debug key to true in the daemon.json file. This method works for every Docker platform.

  1. Edit the daemon.json file, which is usually located in /etc/docker/. You may need to create this file, if it does not yet exist. On macOS or Windows, do not edit the file directly. Instead, go to Preferences / Daemon / Advanced.

  2. If the file is empty, add the following:

    {
      "debug": true
    }
    

    If the file already contains JSON, just add the key "debug": true, being careful to add a comma to the end of the line if it is not the last line before the closing bracket. Also verify that if the log-level key is set, it is set to either info or debug. info is the default, and possible values are debug, info, warn, error, fatal.

  3. Send a HUP signal to the daemon to cause it to reload its configuration. On Linux hosts, use the following command.

    $ sudo kill -SIGHUP $(pidof dockerd)
    

    On Windows hosts, restart Docker.

Instead of following this procedure, you can also stop the Docker daemon and restart it manually with the debug flag -D. However, this may result in Docker restarting with a different environment than the one the hosts’ startup scripts create, and this may make debugging more difficult.

Test

# test your daemon's port
$ netstat -an | grep LISTEN  | grep 2375
# or
$ docker --debug  --host tcp://localhost:2375

Reference