Skip to content

Instantly share code, notes, and snippets.

@styblope
Last active April 12, 2024 17:46
Show Gist options
  • Save styblope/dc55e0ad2a9848f2cc3307d4819d819f to your computer and use it in GitHub Desktop.
Save styblope/dc55e0ad2a9848f2cc3307d4819d819f to your computer and use it in GitHub Desktop.
Enable TCP port 2375 for external connection to Docker

Enable TCP port 2375 for external connection to Docker

See this issue.
Docker best practise to Control and configure Docker with systemd.

  1. Create daemon.json file in /etc/docker:

     {"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}
    
  2. Add /etc/systemd/system/docker.service.d/override.conf

     [Service]
     ExecStart=
     ExecStart=/usr/bin/dockerd
    
  3. Reload the systemd daemon:

     systemctl daemon-reload
    
  4. Restart docker:

     systemctl restart docker.service
    
@rfay
Copy link

rfay commented Dec 27, 2021

I was also unable to get it to work on Debian 11 without the workaround in https://gist.github.com/styblope/dc55e0ad2a9848f2cc3307d4819d819f#gistcomment-3482239 (directly editing the docker.service file). It seems that on Debian 11, the docker.service.d/override.conf doesn't actually get read, so you just have to edit the docker.service.

I also used ExecStart=/usr/sbin/dockerd --containerd=/run/containerd/containerd.sock --tls=false to avoid the very strong and important complaints:

Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network. host="tcp://0.0.0.0:2375".
Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there! host="tcp://0.0.0.0:2375"
Binding to an IP address without --tlsverify is deprecated. Startup is intentionally being slowed down to show this message host="tcp://0.0.0.0:2375"
Please consider generating tls certificates with client validation to prevent exposing unauthenticated root access to your network host="tcp://0.0.0.0:2375"
You can override this by explicitly specifying '--tls=false' or '--tlsverify=false' host="tcp://0.0.0.0:2375"
Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release host="tcp://0.0.0.0:2375"

@boris779
Copy link

I absolutely do not get this run with docker 20.10.12 and ubuntu 21.10

I tried to edit /usr/lib/systemd/system/docker.service or do it via systemctl edit docker.service
Every time when I add -H tcp://127.0.0.1:2375 or tcp://0.0.0.0:2375 the docker.service cannot start
I tried with -H unix, without, with --containerd and without.

ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --containerd=/run/containerd/containerd.sock

Any suggestion how to solve it?

@vincentgerris
Copy link

check logs, journalctl -xe. The options overlap, remove the 127.0.0.1 , 0.0.0.0 means all interfaces.

@h4r5h1t
Copy link

h4r5h1t commented Jan 28, 2022

Follow this:
https://docs.docker.com/engine/install/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections

NOTE: Just change the IP from 127.0.0.1 to 0.0.0.0 and its work fine for Ubuntu ( for selenium dynamic grid)

@smblott-github
Copy link

I found that the docker daemon failed to start on reboot (only) with the approach described here. I never tracked down the source of the problem.

However, it did lead me to implement instead an alternative solution with socat:

exec socat -d TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock

Notes:

  • I used daemontools to launch this an keep it running (https://cr.yp.to/daemontools.html).
  • You can protect the port with the range=... option to socat, or with IP tables or netfilter.

@Nakilon
Copy link

Nakilon commented Apr 20, 2022

Does not work for Docker Desktop on Windows. It refuses bind to 0.0.0.0

@rcedillo45
Copy link

I was having an issue to connect from another machine, turns out it was a firewall issue.
to fix I did:
ufw allow 2375/tcp
ufw reload
hopefully this helps someone.

@russellhoff
Copy link

Thanks!!

@sithson
Copy link

sithson commented May 19, 2022

👍 ✔️ 🙇‍♀️
I can also confirm this, very much GG @styblope, my rock star hero!1 :))))))

Specs:

  • Linux Mint 20.3 Una x64
  • Docker version 20.10.16, build aa7e414
  • Docker Compose version v2.5.0

@sumitdhungana14
Copy link

🔥

@Sharaf5
Copy link

Sharaf5 commented Sep 1, 2022

I need to run docker from external docker client but the docker server is containerized (no daemon)
is it aplicable ?

@russellhoff
Copy link

I need to run docker from external docker client but the docker server is containerized (no daemon) is it aplicable ?

AFAIK, Docker will be run as daemon wherever you deploy it.

@webzakimbo
Copy link

webzakimbo commented Sep 28, 2022

Here's another way that worked for me:

/etc/systemd/system/docker.service.d/override.conf

[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json

/etc/docker/daemon.json

{
  "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}

@madcowGit
Copy link

Thanks! for me it required a reboot to work

@Sharaf5
Copy link

Sharaf5 commented Dec 9, 2022

AFAIK, Docker will be run as daemon wherever you deploy it.

Docker in Docker has two versions

  • docker:latest daemond and host dependant
  • docker:dind web interface based (seems to be no daemon | or fully isolated from host)

I was testing docker, minikube, and K8s functionalities inside docker

The way I was able to do that without exec command is docker context

for me it was not a server or daemon problem, but a context one

This answer helped me connecting to remote docker client and docker in docker via contexts :

So now we have both exposing docker via tcp and connecting to docker via tcp in this thread..

@Sharaf5
Copy link

Sharaf5 commented Dec 9, 2022

Another thing to think about is security

Is the exposed port with your methods are encrypted or not ?

docker:dind has two ports to expose

  • 2375 no encrypton - context do not require cert or key
  • 2376 encrypted - context require key pair to qualify connection

Is that encryption applicable with your methods ?

I think this is the part where we go inside docker:dind entry point file
code

so it should be this part

dockerd \
     --host="$dockerSocket" \
     --host=tcp://0.0.0.0:2376 \
     --tlsverify \
     --tlscacert "$DOCKER_TLS_CERTDIR/server/ca.pem" \
     --tlscert "$DOCKER_TLS_CERTDIR/server/cert.pem" \
     --tlskey "$DOCKER_TLS_CERTDIR/server/key.pem"

and @russellhoff : you are right

  • the daemon server is running but as an entrypoint and not a service (I miss understood)

@abel-delafuente
Copy link

abel-delafuente commented Dec 29, 2022

When i try to build the image be means of the BuildImage command, i am getting the

Connect to http://127.0.0.1:2375 [/127.0.0.1] failed: Connection refused: no further information

Apparently Gradle does not make match with the WSL platform IP.

@lalalazero
Copy link

thanks a lot

@KMMehr
Copy link

KMMehr commented Jan 14, 2023

Great job
Thanks

@Sharaf5
Copy link

Sharaf5 commented Jan 14, 2023

@abel-delafuente tcp not http
you could also try to use a unix socket instead and test again to make sure if it's a docker behavior or a network restriction

@KyongSik-Yoon
Copy link

Great! It's working for me.

@djshaw0350
Copy link

Anyone having issues on DietPi? I am just getting familiar with DietPi and cannot get this to work.

@intellectualDarknet
Copy link

that helped thank you!

@lennon101
Copy link

Add /etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd

I'm on a Synology NAS and I don't have the folder /etc/systemd/system/docker.service.d/override.conf ??? Any help on how to do step 2?

@My-Random-Thoughts
Copy link

For everyone finding this page and looking for instructions for Synology's new Container Manager,

  1. sudo vi /var/packages/ContainerManager/etc/dockerd.json

change to:
{"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","registry-mirrors":[],"storage-driver":"aufs","hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}

(basically add the stuff from the original step 1 to the end, without the curly-brackets {} )

  1. systemctl daemon-reload

  2. sudo systemctl restart pkg-ContainerManager-dockerd

You may need to repeat these steps when the Container Manager package gets updated. So far it's working for me

@honue
Copy link

honue commented Sep 20, 2023

For everyone finding this page and looking for instructions for Synology's new Container Manager,

  1. sudo vi /var/packages/ContainerManager/etc/dockerd.json

change to: {"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","registry-mirrors":[],"storage-driver":"aufs","hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}

(basically add the stuff from the original step 1 to the end, without the curly-brackets {} )

  1. systemctl daemon-reload
  2. sudo systemctl restart pkg-ContainerManager-dockerd

You may need to repeat these steps when the Container Manager package gets updated. So far it's working for me

Hi,bro. I'm trying to add the proxy option for the dockerd.json,there is some problem for me.
I had read the docs of how to set the value of daemon-proxy,but the error still exsit.

  "proxies": {
    "http-proxy": "http://proxy.example.com:80",
    "https-proxy": "https://proxy.example.com:443",
    "no-proxy": "*.test.example.com,.example.org",
  }

unable to configure the Docker daemon with file /var/packages/ContainerManager/etc/dockerd.json: the following directives don't match any configuration option: http-proxy, https-proxy, no-proxy

{"data-root":"/var/packages/ContainerManager/var/docker","log-driver":"db","proxies":{"http-proxy":"http://127.0.0.1:7890","https-proxy":"http://127.0.0.1:7890","no-proxy":"localhost,127.0.0.1"},"registry-mirrors":[],"storage-driver":"aufs"}
can you give me some help? appreciate it.

@My-Random-Thoughts
Copy link

Sorry @honue , I don't know as I don't use proxies. Maybe Synology doesn't support those options. They are also using a slightly older version of docker. v20.10.23, build 876964a

@solarsparq
Copy link

ExecStart=
ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json

Thank you. This override.conf trick worked nicely for me. I used daemon.json to supply my TLS configuration as well as listen on 2376. Giving it nothing except a reference to daemon.json feels like a hack to avoid the hosts conflict.. but it works. Thanks again @webzakimbo

root@mnretrogamer029:~# cat /etc/docker/daemon.json
{
"data-root": "/mnt/dietpi_userdata/docker-data",
"log-driver": "journald",
"log-level": "warn",
"debug": false,
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tlscacert": "/etc/docker/certs.d/ca.pem",
"tlscert": "/etc/docker/certs.d/server-cert.pem",
"tlskey": "/etc/docker/certs.d/server-key.pem",
"tlsverify": true
}

@parasiteoflife
Copy link

what if I don't have systemd? ie. Unraid/Slackware

@jasonmeehan11
Copy link

jasonmeehan11 commented Jan 26, 2024

on Ubuntu 22.04.3 couldn't get it to work with these instructions... do this:

Update Docker Configuration:
Edit the Docker daemon configuration file. The configuration file is typically located at /etc/docker/daemon.json. If it doesn't exist, you can create it.

sudo nano /etc/docker/daemon.json

Add the following content to the file:

{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
}

This configuration tells Docker to listen on both the UNIX socket and a TCP socket on all available network interfaces (0.0.0.0) on port 2375.

Restart Docker:
After making changes to the Docker daemon configuration, you need to restart the Docker daemon for the changes to take effect.

sudo systemctl restart docker

Adjust Firewall Rules (if necessary):
If you have a firewall enabled on your Ubuntu server, make sure to allow traffic on the Docker daemon port (default is 2375). You can use ufw (Uncomplicated Firewall) to do this:

bash

sudo ufw allow 2375

@dmote75
Copy link

dmote75 commented Feb 28, 2024

For Synology NAS (I am using DS923+) I found an easier way.
In your compose file for Homepage make sure to have the following listed under 'volumes'
- /var/run/docker.sock:/var/run/docker.sock

Then in your Homepage docker.yaml file, uncomment only this part:

# my-docker:
#   socket: /var/run/docker.sock

Once I did this it's working. Didn't have to mess with anything else.

@fbaligand
Copy link

Thanks for your gist! It works great for me, with special case where I use Windows 10 & WSL2!

@HarshDev2
Copy link

thanks, it worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment