none
Can I connect docker from remote docker client? RRS feed

  • Question

  • Can I connect to windows server docker from remote docker client on linux or windows ?

    It seems windows server docker listen only 127.0.0.1:2375. Not local IP:2375. So, docker -H fqdn:2375 ... result connection refused.

    Saturday, August 22, 2015 4:16 AM

Answers

  • Through a bit of adventuring I discovered that you can edit the file C:\ProgramData\docker\runDockerDaemon.cmd and change the first docker daemon statement (i.e. not the secure one) to:

    docker daemon -D -b "Virtual Switch" -H 0.0.0.0:2376 -H 127.0.0.1:2375

    it'll still be listening on the default port and also listening to 2376 on the external IP.  You need to restart the service net stop docker / net start docker but then it worked for me.  I was able to publish an app to a container from VS 2015 using the Visual Studio Tools for Docker after I'd made the above changes.


    Saturday, August 22, 2015 8:57 AM

All replies

  • Through a bit of adventuring I discovered that you can edit the file C:\ProgramData\docker\runDockerDaemon.cmd and change the first docker daemon statement (i.e. not the secure one) to:

    docker daemon -D -b "Virtual Switch" -H 0.0.0.0:2376 -H 127.0.0.1:2375

    it'll still be listening on the default port and also listening to 2376 on the external IP.  You need to restart the service net stop docker / net start docker but then it worked for me.  I was able to publish an app to a container from VS 2015 using the Visual Studio Tools for Docker after I'd made the above changes.


    Saturday, August 22, 2015 8:57 AM
  • It seems to me there's something odd happening though - its as though the daemon is tls encrypted by default.

    PS C:\ProgramData\docker> docker -H 127.0.0.1:2375 --tlsverify=false info
    An error occurred trying to connect: Get https://127.0.0.1:2375/v1.21/info: tls: oversized record received with length 20527

    and yet, in my docker daemon.log, there's a line that says:

    time="2015-08-22T21:37:35.142861700+10:00" level=warning msg="/!\\ DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING /!\\"
    time="2015-08-22T21:37:35.143863000+10:00" level=info msg="Listening for HTTP on tcp (0.0.0.0:2375)"
    time="2015-08-22T21:37:35.143863000+10:00" level=debug msg="Stackdump - waiting signal at Global\\docker-daemon-6020"

    Saturday, August 22, 2015 11:43 AM
  • If I don't specify the tlsverify flag at all the client works, the line in the cmd file running the daemon shouldn't enable encryption.  First example below is with the flag you included, second is without it

    C:\Program Files (x86)\Microsoft Visual Studio 11.0>docker -H 192.168.1.177:2376 --tlsverify=false info
    An error occurred trying to connect: Get https://192.168.1.177:2376/v1.20/info: tls: oversized record received with leng
    th 20527

    C:\Program Files (x86)\Microsoft Visual Studio 11.0>docker -H 192.168.1.177:2376 info
    Containers: 2
    Images: 8
    Storage Driver: windowsfilter
     Windows:
    Execution Driver: Windows 1854 1.9.0-dev 4376380
    Logging Driver: json-file
    Kernel Version: 10.0 10514 (10514.0.amd64fre.th2_release.150808-1529)
    Operating System: Windows Server 2016 Technical Preview 3
    CPUs: 1
    Total Memory: 1.076 GiB
    Name: WINDOWS-9TR7Q9R
    ID: FCBF:XHAE:XRSU:U4RB:APKM:YZJS:EWR3:QP37:QFNB:DNAV:GPHO:JV4Z
    Debug mode (server): true
    File Descriptors: -1
    Goroutines: 21
    System Time: 2015-08-22T13:22:20.388968-07:00
    EventsListeners: 0
    Init SHA1:
    Init Path: C:\Windows\System32\docker.exe
    Docker Root Dir: C:\ProgramData\docker

    Saturday, August 22, 2015 8:28 PM
  • Thanks. I successed by no tls use.

    This is my step (this is for non secure connection)

    1) Edit C:\ProgramData\docker\runDockerDaemon.cmd, Add -H 0.0.0.0:2375 like bellow.

    @echo off

    set certs=%ProgramData%\docker\certs.d

    if exist %ProgramData%\docker (goto :run)

    mkdir %ProgramData%\docker

    :run

    if exist %certs%\server-cert.pem (goto :secure)

    docker daemon -D -b "Virtual Switch" -H 0.0.0.0:2375 

    goto :eof

    :secure

    docker daemon -D -b "Virtual Switch" -H 0.0.0.0:2376 --tlsverify --tlscacert=%certs%\ca.pem --tlscert=%certs%\server-cert.pem --tlskey=%certs%\server-key.pem

    2) Restart container host

    3) From remote windows or Linux (I used coreos stlable on azure)

    docker -H <remoteip>:2375 info

    * I got docker client for windows to Windows desktop by...

    wget -Uri http://aka.ms/ContainerTools -OutFile .\docker.exe
    -UseBasicParsing

     

    Saturday, August 22, 2015 10:48 PM
  • I was also successful construction of the TLS connection on 2376/tcp. This is my steps (sorry, in japanese :)

    http://yamanxworld.blogspot.jp/2015/08/windows-server-2016-tp3-windows-docker.html#more


    Monday, August 24, 2015 1:44 AM
  • Thank you, that did the trick for me.  There is something specific about how VS2105 Docker Extension configures the Docker Daemon that makes TLS "unreachable".  This at least works for insecure mode.

    What about for secure mode, has anyone figured that out?  I was still getting an error even though my certs are uploaded and 2375 added.

    PS C:\ProgramData\Docker> docker ps
    Get http://127.0.0.1:2375/v1.21/containers/json: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
    * Are you trying to connect to a TLS-enabled daemon without TLS?

    runDockerDaemon.cmd

    ....

    :secure
    docker daemon -D -b "Virtual Switch" -H 0.0.0.0:2376 -H 127.0.0.1:2375 --tlsverify --tlscacert=%certs%\ca.pem --tlscert
    =%certs%\server-cert.pem --tlskey=%certs%\server-key.pem

    Tuesday, September 15, 2015 6:09 PM
  • I think I managed to figure it out:

    In essence, you need to generate certs, per the directions in https://docs.docker.com/articles/https/.  (Note that if you use the azure cli to generate your docker vm -- via azure vm docker create -- and your OpenSSL_CONF was configured correctly when you did so -- that the docker create script will automate the generation of the certs for you; although the extension doesn't seem to know how to upload them correctly for Windows based docker hosts.)

    Next, you need to upload the certs and place them correctly in your host's Docker\Certs.d directory.  There's probably better solutions, but I remote desktoped to the host -- making sure to first expose my local drive via Local Experience (click the More button).  I was then able to:

    The runDockerDaemon.cmd script automatically will launch in tls mode if these 3 files are present in the host in the correct location; without any modifications to the script.  You can confirm this via the powershell command:

    • netstat -a -n -b  | Select-String docker -Context 1,0

    Don't forget to expose port 2376 as well on the host via the Powershell command:

    • New-NetFirewallRule -DisplayName "Allow Inbound Remote Docker Requests" -Direction Inbound -LocalPort 2376 -Protocol TCP -Action Allow

    Assuming your VM has a public IP, you should then be able to connect to it revmotely via: docker --tls -H server.domain.name:2376 info

    Hope this helps!

    Donovan



    Thursday, September 24, 2015 5:47 AM