Skip to content

Instantly share code, notes, and snippets.

@CollinChaffin
Created September 5, 2019 00:17
Show Gist options
  • Save CollinChaffin/258dd5d19110d94e8f3953f8ccc2b864 to your computer and use it in GitHub Desktop.
Save CollinChaffin/258dd5d19110d94e8f3953f8ccc2b864 to your computer and use it in GitHub Desktop.
Enable Docker Remote API on Photon OS v3(+)

Enable Local/Remote Docker API on PhotonOS

Prerequisites

You must have already performed the following in one form or another as well as properly set a STATIC IP. Bear in mind many instructions do not properly show how to commit iptables changes on Photon which then survive reboots.

iptables -A INPUT -p tcp --dport 2375 -j ACCEPT
iptables -A INPUT -p tcp --dport 2376 -j ACCEPT
iptables-save > /etc/systemd/scripts/ip4save
systemctl restart iptables

Perform (Re)configuration of Docker Daemon (using Proper Local Configs)

systemctl stop docker
systemctl disable docker
# IF NEW, DOCKER.SOCKET WON'T EVEN EXIST YET SO IGNORE ANY ERROR/WARNINGS BUT THIS ENABLES THIS TO 
# BE RERUN LATER IF NEEDED AND DOES NOT HURT TO RERUN OVER ITSELF
systemctl stop docker.socket
systemctl disable docker.socket

# FIX/CREATE LOCAL (NOT LIB COPY AS INCORRECTLY STATED BY OTHERS THAT IS OVERWRITTEN ON UPGRADES!!!
echo '[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target
' > /etc/systemd/system/docker.service

# FIX/CREATE THE NON-EXISTING DOCKER.SOCKET SERVICE ON PHOTONOS IF UPGRADING FROM DEFAULT DOCKER INSTALL
# AGAIN THIS IS A LOCAL NOT LIB THAT WOULD BE OVERWRITTEN ON UPGRADE
echo '[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target
' > /etc/systemd/system/docker.socket

# RESTART DOCKER AND TEST VIA SHELL FOR API OUTPUT
systemctl daemon-reload
systemctl enable docker.socket
systemctl enable docker
systemctl start docker
systemctl start docker.socket

# TEST IF WE NOW GET PROPER TCP-BASED API RESPONSE (REMOTE SHOULD NOW WORK TOO)
docker -H tcp://0.0.0.0:2375 ps
# Enable Local/Remote Docker API on PhotonOS
# Prerequisites
# You must have already performed the following in one form or another **as well as properly set a STATIC IP**. Bear in mind many instructions do not properly show how to commit iptables changes on Photon which then survive reboots.
iptables -A INPUT -p tcp --dport 2375 -j ACCEPT
iptables -A INPUT -p tcp --dport 2376 -j ACCEPT
iptables-save > /etc/systemd/scripts/ip4save
systemctl restart iptables
# Perform (Re)configuration of Docker Daemon (using Proper Local Configs)
systemctl stop docker
systemctl disable docker
# IF NEW, DOCKER.SOCKET WON'T EVEN EXIST YET SO IGNORE ANY ERROR/WARNINGS BUT THIS ENABLES THIS TO
# BE RERUN LATER IF NEEDED AND DOES NOT HURT TO RERUN OVER ITSELF
systemctl stop docker.socket
systemctl disable docker.socket
# FIX/CREATE LOCAL (NOT LIB COPY AS INCORRECTLY STATED BY OTHERS THAT IS OVERWRITTEN ON UPGRADES!!!
echo '[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
' > /etc/systemd/system/docker.service
# FIX/CREATE THE NON-EXISTING DOCKER.SOCKET SERVICE ON PHOTONOS IF UPGRADING FROM DEFAULT DOCKER INSTALL
# AGAIN THIS IS A LOCAL NOT LIB THAT WOULD BE OVERWRITTEN ON UPGRADE
echo '[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
' > /etc/systemd/system/docker.socket
# RESTART DOCKER AND TEST VIA SHELL FOR API OUTPUT
systemctl daemon-reload
systemctl enable docker.socket
systemctl enable docker
systemctl start docker
systemctl start docker.socket
# TEST IF WE NOW GET PROPER TCP-BASED API RESPONSE (REMOTE SHOULD NOW WORK TOO)
docker -H tcp://0.0.0.0:2375 ps
@x0341
Copy link

x0341 commented Dec 10, 2019

Thanks. solved my problem.

Copy link

ghost commented Sep 16, 2020

You might also need this in the iptables rules, if using docker swarm:

iptables -A INPUT -p tcp --dport 2377 -j ACCEPT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment