Login/Register
Docker remote daemon (TCP): Cannot connect to the Docker daemon
Asked Answered
Solved dockertcpubuntu-18.04docker-daemon
H

1

6

I'm trying to connect a docker daemon from a client to a remote host via TCP but I'm getting this error:

docker -H tcp://{{HOST_IP}}:2375 ps

Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?

What could be possible reasons for that? What is a proper debugging approach for finding a solution?

  • System: Ubuntu 18.04 (client and host)
  • ufw: enabled for all incoming & outgoing (for testing purposes)
  • access rights: working with root on client & host

WHAT I DID

On host:

systemctl edit docker.service

Add and save these lines:

[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375

Reload daemon:

systemctl daemon-reload

Restart docker:

systemctl restart docker.service

Check if it worked:

netstat -lntp | grep dockerd

Result:

tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      3758/dockerd

Test with docker:

docker -H tcp://127.0.0.1:2375 ps

Everything worked on the host. However, when I'm trying to connect from the client with the remote host I'm getting an error.

On client:

docker -H tcp://{{HOST_IP}}:2375 ps

Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?

Connecting via ssh works:

docker -H ssh://root@{{HOST_IP}} ps
Hora answered 5/1, 2020 at 23:32 Comment(2)
So what you've done already is given unrestricted root-level access to any process on the current host, and what you're trying to do is open it up to the whole network. (If you're successful at this you can run docker -H ... -v /:/host busybox cat /host/etc/shadow to read back the encrypted user passwords on that host, as the least damaging thing you could do.) Remove that dockerd -H option immediately and consider whether you might need to reinstall the system.Unaccountedfor
Thanks for your answer. To clarify, the end goal is to make a secure TCP connection to a remote docker daemon. This didn't work on the first try. For debugging I used two completely empty ubuntu droplets from digitalocean. What would be a better approach for debugging?Hora
C
4

You have the Docker daemon listening on the localhost address, 127.0.0.1. You won't be able to connect to that from a remote host. The only host that can connect to that address is...the local host.

To have the Docker daemon accept connections from remote hosts, you probably want:

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

That means, "listen for connections from all hosts". But you don't really want that, because that would grant unauthenticated root access to your system to anyone who was able to connect to that port. You could use iptables to limit access to only particular remote hosts, but it's still a problem, because anybody able to access any of those hosts would have, againt, unauthenticated root access to your Docker host.

What you really want to do is to read through "Protect the Docker daemon socket", which discusses how to set up certificate-based authentication for remote connections to the Docker daemon. Unlike the examples in your question, the configuration discussed in that document requires clients to authenticate using an SSL certificate.

This is much more more secure than permitting unauthenticated access from anywhere, and it is somewhat more than allowing unauthenticated access from specific hosts (because filesystem ownership and permissions can be used to restrict access to the SSL private keys required to grant access to the docker daemon).

Cinchonidine answered 6/1, 2020 at 1:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.