Enable TCP port 2375 for external connection to Docker

docker-api-port.md

Enable TCP port 2375 for external connection to Docker

See this issue.
Docker best practise to Control and configure Docker with systemd.

1. Create daemon.json file in /etc/docker:

    {"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}
   

2. Add /etc/systemd/system/docker.service.d/override.conf

    [Service]
    ExecStart=
    ExecStart=/usr/bin/dockerd
   

3. Reload the systemd daemon:

    systemctl daemon-reload
   

4. Restart docker:

    systemctl restart docker.service
   

Thank you!

Worked like charm on centos 7 too. Was struggling to get this working since 2 days.

Steps followed:

1. vi /usr/lib/systemd/system/docker.service

add the line below where you find ExecStart (under Service section):

2. ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock

Then,
3. systemctl daemon-reload
4. systemctl restart docker.service

Can confirm it works both on arch and debian 11.
Thanks!

I was also unable to get it to work on Debian 11 without the workaround in https://gist.github.com/styblope/dc55e0ad2a9848f2cc3307d4819d819f#gistcomment-3482239 (directly editing the docker.service file). It seems that on Debian 11, the docker.service.d/override.conf doesn't actually get read, so you just have to edit the docker.service.

I also used ExecStart=/usr/sbin/dockerd --containerd=/run/containerd/containerd.sock --tls=false to avoid the very strong and important complaints:

Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network. host="tcp://0.0.0.0:2375".
Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there! host="tcp://0.0.0.0:2375"
Binding to an IP address without --tlsverify is deprecated. Startup is intentionally being slowed down to show this message host="tcp://0.0.0.0:2375"
Please consider generating tls certificates with client validation to prevent exposing unauthenticated root access to your network host="tcp://0.0.0.0:2375"
You can override this by explicitly specifying '--tls=false' or '--tlsverify=false' host="tcp://0.0.0.0:2375"
Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release host="tcp://0.0.0.0:2375"

I absolutely do not get this run with docker 20.10.12 and ubuntu 21.10

I tried to edit /usr/lib/systemd/system/docker.service or do it via systemctl edit docker.service
Every time when I add -H tcp://127.0.0.1:2375 or tcp://0.0.0.0:2375 the docker.service cannot start
I tried with -H unix, without, with --containerd and without.

ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --containerd=/run/containerd/containerd.sock

Any suggestion how to solve it?

check logs, journalctl -xe. The options overlap, remove the 127.0.0.1 , 0.0.0.0 means all interfaces.

Follow this:
https://docs.docker.com/engine/install/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections

NOTE: Just change the IP from 127.0.0.1 to 0.0.0.0 and its work fine for Ubuntu ( for selenium dynamic grid)

I found that the docker daemon failed to start on reboot (only) with the approach described here. I never tracked down the source of the problem.

However, it did lead me to implement instead an alternative solution with socat:

exec socat -d TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock

Notes:

• I used daemontools to launch this an keep it running (https://cr.yp.to/daemontools.html).
• You can protect the port with the range=... option to socat, or with IP tables or netfilter.

Does not work for Docker Desktop on Windows. It refuses bind to 0.0.0.0

I was having an issue to connect from another machine, turns out it was a firewall issue.
to fix I did:
ufw allow 2375/tcp
ufw reload
hopefully this helps someone.

Thanks!!

👍 ✔️ 🙇‍♀️
I can also confirm this, very much GG @styblope, my rock star hero!1 :))))))

Specs:

• Linux Mint 20.3 Una x64
• Docker version 20.10.16, build aa7e414
• Docker Compose version v2.5.0

🔥

I need to run docker from external docker client but the docker server is containerized (no daemon)
is it aplicable ?

I need to run docker from external docker client but the docker server is containerized (no daemon) is it aplicable ?

AFAIK, Docker will be run as daemon wherever you deploy it.

Here's another way that worked for me:

/etc/systemd/system/docker.service.d/override.conf

[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json

/etc/docker/daemon.json

{
  "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}

Thanks! for me it required a reboot to work

AFAIK, Docker will be run as daemon wherever you deploy it.

Docker in Docker has two versions

• docker:latest daemond and host dependant
• docker:dind web interface based (seems to be no daemon | or fully isolated from host)

I was testing docker, minikube, and K8s functionalities inside docker

The way I was able to do that without exec command is docker context

for me it was not a server or daemon problem, but a context one

This answer helped me connecting to remote docker client and docker in docker via contexts :

• https://forums.docker.com/t/how-do-you-create-a-context-for-a-remote-tls-daemon/117275/3?u=abdelazizsharaf
• https://forums.docker.com/t/tls-over-context/128795?u=abdelazizsharaf this was my original quistion that this answer completed

So now we have both exposing docker via tcp and connecting to docker via tcp in this thread..

Another thing to think about is security

Is the exposed port with your methods are encrypted or not ?

docker:dind has two ports to expose

• 2375 no encrypton - context do not require cert or key
• 2376 encrypted - context require key pair to qualify connection

Is that encryption applicable with your methods ?

I think this is the part where we go inside docker:dind entry point file

so it should be this part

dockerd \
     --host="$dockerSocket" \
     --host=tcp://0.0.0.0:2376 \
     --tlsverify \
     --tlscacert "$DOCKER_TLS_CERTDIR/server/ca.pem" \
     --tlscert "$DOCKER_TLS_CERTDIR/server/cert.pem" \
     --tlskey "$DOCKER_TLS_CERTDIR/server/key.pem"

and @russellhoff : you are right

• the daemon server is running but as an entrypoint and not a service (I miss understood)

When i try to build the image be means of the BuildImage command, i am getting the

Connect to http://127.0.0.1:2375 [/127.0.0.1] failed: Connection refused: no further information

Apparently Gradle does not make match with the WSL platform IP.

thanks a lot

Great job
Thanks

@abel-delafuente tcp not http
you could also try to use a unix socket instead and test again to make sure if it's a docker behavior or a network restriction

Great! It's working for me.

Anyone having issues on DietPi? I am just getting familiar with DietPi and cannot get this to work.

that helped thank you!

Add /etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd

I'm on a Synology NAS and I don't have the folder /etc/systemd/system/docker.service.d/override.conf ??? Any help on how to do step 2?

For everyone finding this page and looking for instructions for Synology's new Container Manager,

1. sudo vi /var/packages/ContainerManager/etc/dockerd.json

change to:
{"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","registry-mirrors":[],"storage-driver":"aufs","hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}

(basically add the stuff from the original step 1 to the end, without the curly-brackets {} )

2. systemctl daemon-reload

3. sudo systemctl restart pkg-ContainerManager-dockerd

You may need to repeat these steps when the Container Manager package gets updated. So far it's working for me

For everyone finding this page and looking for instructions for Synology's new Container Manager,

1. sudo vi /var/packages/ContainerManager/etc/dockerd.json

change to: {"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","registry-mirrors":[],"storage-driver":"aufs","hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}

(basically add the stuff from the original step 1 to the end, without the curly-brackets {} )

2. systemctl daemon-reload
3. sudo systemctl restart pkg-ContainerManager-dockerd

You may need to repeat these steps when the Container Manager package gets updated. So far it's working for me

Hi,bro. I'm trying to add the proxy option for the dockerd.json,there is some problem for me.
I had read the docs of how to set the value of daemon-proxy,but the error still exsit.

  "proxies": {
    "http-proxy": "http://proxy.example.com:80",
    "https-proxy": "https://proxy.example.com:443",
    "no-proxy": "*.test.example.com,.example.org",
  }

unable to configure the Docker daemon with file /var/packages/ContainerManager/etc/dockerd.json: the following directives don't match any configuration option: http-proxy, https-proxy, no-proxy

{"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","proxies":{"http-proxy":"http://127.0.0.1:7890","https-proxy":"http://127.0.0.1:7890","no-proxy":"localhost,127.0.0.1"},"registry-mirrors":[],"storage-driver":"aufs"}
can you give me some help? appreciate it.

Sorry @honue , I don't know as I don't use proxies. Maybe Synology doesn't support those options. They are also using a slightly older version of docker. v20.10.23, build 876964a