4

So for some reason, I'd like to use a docker:dind inside a docker-compose.yml. I know that the "easy" way is to mount directly the socket inside the image (like that : /var/run/docker.sock:/var/run/docker.sock) but I want to avoid that (for security reasons).

Here is my experimental docker-compose.yml :

version: '3.8'
services:
     dind:
       image: docker:19.03.7-dind
       container_name: dind
       restart: unless-stopped
       privileged: true
       environment: 
         - DOCKER_TLS_CERTDIR=/certs
       volumes: 
         - dind-certs-ca:/certs/ca
         - dind-certs-client:/certs/client
       networks: 
         - net
       expose: 
         - 2375 
         - 5000

volumes:
  dind-certs-ca:
  dind-certs-client:
networks:
  net:
    driver: bridge

Nothing complexe here, then I try to see if the service is correctly set :

docker logs dind

Here no problem it is up and running. However, once I try to use it with for instance :

docker run --rm -it --network net --link dind:docker docker version

I got the following error :

Cannot connect to the Docker deamon at tcp://docker:2375. Is there a deamon running ?

Do you have any idea why the deamon is not responding ?

---------------------------------------------------------- EDIT ----------------------------------------------------------

Following hariK's comment (thanks by the way) I add the port 2376 to the exposed one. I think I'm neer solving my issue. Here is the error that I get :

error during connect: Get http://docker:2375/v1.40/version dial tcp: lookup on docker on [ip]: no such host

So I look at this error and found that it seems to be a recurrent one on dind versions (there is a lot of issues on gitlab on it like this one). There is also a post on stackoverflow on a similar issue for gitlab here.

For the workaround I tried :

  1. Putting this value DOCKER_TLS_CERTDIR: "" hopping to turn off TLS ... but it failed
  2. Downgrading the version to docker:18.05-dind. It actualy worked but I don't think it's a good move to make.

If someone has an idea to keep TLS ON and make it works it would be great :) (I'll still be looking on my own but if you can give a nudge with interesting links it would be cool ^^)

David Maze
  • 130,717
  • 29
  • 175
  • 215
Pacifuras
  • 116
  • 1
  • 6

3 Answers3

3

To use Docker with disabled TLS (i.e. TCP port 2375 by default), unset the DOCKER_TLS_CERTDIR variable in your dind service definition in Docker Compose, like:

  dind:
    image: docker:dind
    container_name: dind
    privileged: true
    expose:
    - 2375
    environment:
    - DOCKER_TLS_CERTDIR=

(NB: do not initialize it to any value like '' or "")

cactuschibre
  • 1,908
  • 2
  • 18
  • 36
1

So I found a solution, and I added to the basic docker-compose a resgistry with TLS options.

So I had fisrt to generate the certs and then correctly mount them.

If any of you run in a similar issue I made a github repo with the docker-compose and command lines for the certs.

Pacifuras
  • 116
  • 1
  • 6
0

Some time later, and I was looking for the same thing. Here is an example that with specific versions for the images, that should still work in a few years from now:

version: '3'
services:

  docker:
    image: docker:20.10.17-dind-alpine3.16
    privileged: yes
    volumes:
      - certs:/certs

  docker-client:
    image: docker:20.10.17-cli
    command: sh -c 'while [ 1 ]; do sleep 1; done'
    environment:
      DOCKER_HOST: tcp://docker:2376
      DOCKER_TLS_VERIFY: 1
      DOCKER_CERT_PATH: /certs/client
    volumes:
      - certs:/certs

volumes:
  certs:

The TLS certificates are generated by the "docker" service on startup and shared using a volume.

Use the client as follows:

docker-compose exec docker-client sh

#now within docker-client container
docker run hello-world
Job Schipper
  • 35
  • 5