35

I'm trying to use the Docker API to connect to docker daemon from another machine. I am able to do this command successfully:

docker -H=tcp://127.0.0.1:4243 images

But NOT when I use the real IP address:

docker -H=tcp://192.168.2.123:4243 images
2013/08/04 01:35:53 dial tcp 192.168.2.123:4243: connection refused

Why can't I connect when using a non-local IP?

I'm using a Vagrant VM with the following in Vagrantfile: config.vm.network :private_network, ip: "192.168.2.123"

The following is iptables:

# Generated by iptables-save v1.4.12 on Sun Aug  4 01:24:46 2013
*filter
:INPUT ACCEPT [1974:252013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1511:932565]
-A INPUT -p tcp -m tcp --dport 4243 -j ACCEPT
COMMIT
# Completed on Sun Aug  4 01:24:46 2013
# Generated by iptables-save v1.4.12 on Sun Aug  4 01:24:46 2013
*nat
:PREROUTING ACCEPT [118:8562]
:INPUT ACCEPT [91:6204]
:OUTPUT ACCEPT [102:7211]
:POSTROUTING ACCEPT [102:7211]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.16.42.0/24 ! -d 172.16.42.0/24 -j MASQUERADE
Victor Lyuboslavsky
  • 9,882
  • 25
  • 87
  • 134
  • 3
    Note that the official port for Docker is now **2375**: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=docker – Daniel Serodio Sep 05 '14 at 13:35

4 Answers4

63

Came across a similar issue, one thing I don't see mentioned here is you need to start docker to listen to both the network and a unix socket. All regular docker (command-line) commands on the host assume the socket.

sudo docker -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock -d &

will start docker listening to any ip address on your host, as well as the typical unix socket.

Ted M. Young
  • 1,052
  • 11
  • 24
Andy D
  • 896
  • 7
  • 12
  • I add the -H tcp://0.0.0.0:2375 to my server,but still can not access by another pc, is it possible something wrong with my proxy? – hukeping Jan 15 '15 at 04:13
  • and yes,,it is because of the proxy. When I add the ip of docker server to no_proxy, it works. – hukeping Jan 15 '15 at 04:16
  • 1
    Please don't open an unsecured TCP socket to the world.. check out the answer by Sven and read https://medium.com/@omercnet/dockerized-pwnage-f4cacecfb129#.c1j57qt6n – omercnet Jul 12 '16 at 17:33
  • For Windows, see: [Run Docker from the Windows Subsystem for Linux](https://blog.bigfont.ca/run-docker-from-the-wsl/). – kenorb Aug 13 '18 at 13:57
11

You need to listen to 0.0.0.0. When you listen on 127.0.0.1, it means that no one outside your host will be able to connect.

creack
  • 116,210
  • 12
  • 97
  • 73
10

Please note that in doing this, you have given anyone, and any URL sent to you by email access to your Docker API, and thus root permission.

you should, at minimum, secure your socket using https: http://docs.docker.com/articles/https/

SvenDowideit
  • 5,080
  • 1
  • 20
  • 10
2

There are 2 ways in configuring the docker daemon port

1) Configuring at /etc/default/docker file:

DOCKER_OPTS="-H tcp://127.0.0.1:5000 -H unix:///var/run/docker.sock"

2) Configuring at /etc/docker/daemon.json:

{
"hosts": ["tcp://<IP-ADDRESS>:<PORT>", "unix:///var/run/docker.sock"]
}

IP-ADDRESS - any address which is accessible can be used.

Restart the docker service after configuring the port.

The reason for adding both the user port[ tcp://127.0.0.1:5000] and default docker socket[unix:///var/run/docker.sock] is that the user port enables the access to the docker APIs whereas the default socket enables the CLI.

Here_2_learn
  • 5,013
  • 15
  • 50
  • 68