How can I use the docker daemon from a container running on a host provisioned by Docker Machine?
Initially I was trying to connect to the host daemon via a volume-mounted unix socket (
-v /var/run/docker.sock:/var/run/docker.sock), but that kept failing:
[root@f57377672f7f docker]# env | grep DOCKER DOCKER_HOST=unix:///var/run/docker.sock DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=/etc/docker [root@bd4154b372d5 code]# docker images An error occurred trying to connect: Get https://%2Fvar%2Frun%2Fdocker.sock/v1.23/images/json: tls: oversized record received with length 20527
I’m not sure why it’s trying to connect over HTTPS even though
Next I tried
tcp://, but this failed because the TLS certs generated by docker machine are generated to work only for the host’s external interfaces.
# On the host ubuntu@spot:~$ ps aux | grep 'docker daemon' root 23678 0.4 0.7 907564 59648 ? Ssl 10:01 1:16 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2 # From the container [root@f57377672f7f docker]# env | grep DOCKER DOCKER_HOST=tcp://172.17.0.1:2376 DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=/etc/docker [root@f57377672f7f docker]# docker images An error occurred trying to connect: Get https://172.17.0.1:2376/v1.23/images/json: x509: certificate is valid for 184.108.40.206, not 172.17.0.1
Thus, in order to connect to the host’s daemon from a container, I need to:
- Copy the certs from my local
~/.docker/machines/machine/$machine/to the container at build-time.
- Hard-wire the external IP of that host as
tcp://220.127.116.11:2376) in the container at build-time, too.
Is there a way to get around this with without turning TLS off on the external interface? I also don’t want to modify my the container’s
Dockerfile for every host that it has to run on.
One Solution collect form web for “How can I use the docker daemon from a container running on a host provisioned by Docker Machine?”
The docker client only attempts HTTPS connections if
DOCKER_TLS_VERIFY is enabled or even set in the environment. It attempts to translate the
DOCKER_HOST URI to an
To allow the client to use a local socket instead of HTTPS, you must first set
[root@f57377672f7f docker]# unset DOCKER_TLS_VERIFY
docker [command] works over the unix socket!