How can I use the docker daemon from a container running on a host provisioned by Docker Machine?

I am trying to use the docker daemon from a container on a host created by docker machine.

Initially I was trying to connect to the host daemon via a volume-mounted unix socket (-v /var/run/docker.sock:/var/run/docker.sock), but that kept failing:

  • Docker Build and Multi layer dll version
  • Restart ecs-agent from user-data
  • Docker rails mongodb NoServerAvailable
  • How to get ssh connection with docker container on OSX(boot2docker)
  • Assigning Public IP to SQL Server Docker Image
  • Docker: go get from a private GitHub repo
  • [root@f57377672f7f docker]# env | grep DOCKER
    DOCKER_HOST=unix:///var/run/docker.sock
    DOCKER_TLS_VERIFY=1
    DOCKER_CERT_PATH=/etc/docker
    
    [root@bd4154b372d5 code]# docker images
    An error occurred trying to connect: Get https://%2Fvar%2Frun%2Fdocker.sock/v1.23/images/json: tls: oversized record received with length 20527
    

    I’m not sure why it’s trying to connect over HTTPS even though DOCKER_HOST is unix://.


    Next I tried tcp://, but this failed because the TLS certs generated by docker machine are generated to work only for the host’s external interfaces.

    # On the host
    ubuntu@spot:~$ ps aux | grep 'docker daemon'
    root     23678  0.4  0.7 907564 59648 ?        Ssl  10:01   1:16 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2
    
    # From the container
    [root@f57377672f7f docker]# env | grep DOCKER
    DOCKER_HOST=tcp://172.17.0.1:2376
    DOCKER_TLS_VERIFY=1
    DOCKER_CERT_PATH=/etc/docker
    
    [root@f57377672f7f docker]# docker images
    An error occurred trying to connect: Get https://172.17.0.1:2376/v1.23/images/json: x509: certificate is valid for 54.165.194.148, not 172.17.0.1
    

    Thus, in order to connect to the host’s daemon from a container, I need to:

    1. Copy the certs from my local ~/.docker/machines/machine/$machine/ to the container at build-time.
    2. Hard-wire the external IP of that host as DOCKER_HOST (eg. tcp://54.165.194.148:2376) in the container at build-time, too.

    Is there a way to get around this with without turning TLS off on the external interface? I also don’t want to modify my the container’s Dockerfile for every host that it has to run on.

  • Cannot connect to the Docker daemon on Windows 7
  • how to run kafka from docker landoop image
  • Docker LAMP Stack
  • Allow WordPress write access to Docker mounted folder
  • Docker: multiple PHP7-FPM containers on different ports
  • How can I access the Kubernetes service through ClusterIP
  • One Solution collect form web for “How can I use the docker daemon from a container running on a host provisioned by Docker Machine?”

    The docker client only attempts HTTPS connections if DOCKER_TLS_VERIFY is enabled or even set in the environment. It attempts to translate the DOCKER_HOST URI to an https:// address.

    To allow the client to use a local socket instead of HTTPS, you must first set DOCKER_TLS_VERIFY

    [root@f57377672f7f docker]# unset DOCKER_TLS_VERIFY
    

    docker [command] works over the unix socket!

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.