docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed issues with Configure where the Docker daemon listens for conne… (#6391)

This commit is contained in:
Nathan Jones 2018-06-11 19:11:24 -04:00 committed by Gwendolynne Barr
parent a55d0c9dfc
commit 8635c2afdf
1 changed files with 68 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
install/linux/linux-postinstall.md
View File

@ -121,72 +121,83 @@ your host's Linux distribution and available kernel drivers.
## Configure where the Docker daemon listens for connections
By default, the Docker daemon listens for connections on a UNIX socket. To
enable Docker to accept requests from remote hosts, you can configure it to
listen on an IP address and port as well. It still needs to listen on the UNIX
socket as well, to accept requests from local clients.
By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at "Bind Docker to another host/port or a unix socket" section of the [Docker CLI Refernce](https://docs.docker.com/engine/reference/commandline/dockerd/) article.
1. Set the `hosts` array in the `/etc/docker/daemon.json` to connect to the
UNIX socket and an IP address, as follows:
> Docker EE customers
>
> Docker EE customers can get remote CLI access to UCP with the UCP client bundle.
> A UCP Client Bundle is generated by UCP and secured by mutual TLS. See the document on
> [CLI access for UCP](https://docs.docker.com/ee/ucp/user-access/cli/) for more
> information.
> Secure your connection
>
> Before configuring Docker to accept connections from remote hosts it is critically important that you
> understand the security implications of opening docker to the network. If steps are not taken to secure the connection,
> it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS
> certificates to secure this connection, check this article on
> [how to protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).
{: .warning}
Configuring Docker to accept remote connections can be done with the `docker.service` systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the `daemon.json` file which is recommended for Linux distributions that do not use systemd.
> systemd vs `daemon.json`
>
> Configuring docker to listen for connections using both the systemd unit file and the daemon.json
> file causes a conflict that prevents Docker from starting.
### Configuring remote access with `systemd` unit file
1. Use the command `sudo systemctl edit docker.service` to open an override file for `docker.service` in a text editor.
2. Add or modify the following lines, substituting your own values.
```none
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375
```
3. Save the file.
4. Reload the `systemctl` configuration.
```bash
$ sudo systemctl daemon-reload
```
5. Restart Docker.
```bash
$ sudo systemctl restart docker.service
```
6. Check to see whether the change was honored by reviewing the output of `netstat` to confirm `dockerd` is listening on the configured port.
```bash
$ sudo netstat -lntp | grep dockerd
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd
```
### Configuring remote access with `daemon.json`
1. Set the `hosts` array in the `/etc/docker/daemon.json` to connect to the UNIX socket and an IP address, as follows:
```json
{
"hosts": ["fd://", "tcp://0.0.0.0:2375"]
"hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"]
}
```
2. Restart Docker. Check to see whether the value was honored, by looking for
the `dockerd` process. If step 1 worked, the Docker daemon shows multiple
`-H` flags:
2. Restart Docker.
3. Check to see whether the change was honored by reviewing the output of `netstat` to confirm `dockerd` is listening on the configured port.
```bash
$ sudo ps aux |grep dockerd
root 31239 0.7 0.2 1007880 72816 ? Ssl 15:03 0:00 /usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
```
**If you see multiple `-H` values, you are done. If you do not see multiple
`-H` values, go to the next step.**
3. On some Linux distributions, such as RHEL and CentOS, the `hosts` key in the
`/etc/docker/daemon.json` file is overridden by the contents of the
`docker.service` service configuration file. In this case, you need to
edit this file manually.
1. Use the command `sudo systemctl edit docker.service` to open the
`docker.service` file in a text editor.
2. Add or modify the following lines, substituting your own values.
```none
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
```
Save the file.
3. Reload the `systemctl` configuration.
```bash
$ sudo systemctl daemon-reload
```
4. Restart Docker.
```bash
$ sudo systemctl restart docker.service
```
5. Check again to see if the `dockerd` command now listens on both the
file descriptor and the network address.
```bash
$ sudo ps aux |grep dockerd
root 31239 0.7 0.2 1007880 72816 ? Ssl 15:03 0:00 /usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
```
$ sudo netstat -lntp | grep dockerd
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd
```
## Enable IPv6 on the Docker daemon
To enable IPv6 on the Docker daemon, see