How to make docker listening to unix and TCP socket under centos with systemd

Question

I have installed docker (v17.06.2-ce) under CentOS using systemd. Docker works fine and listens to the unix socket. Now i would like to have docker to listen to the Unix socket and to the TCP socket 2375. Since this is an in-house development machine security is no issue.

I scanned the inte.net found several articles but still got some questions.

My understanding is that I have systemd file (docker.service) which starts the dockerd without any parameters. ExecStart=/usr/bin/dockerd

Then there is the file demon.json here I can list what I will listen to. My question is what to enter here. It could be.

{
   "hosts": [  "unix:///var/run/docker.sock",
                "tcp://0.0.0.0:2375"
            ]
}

Or is it something like this for socket activation?

{
       "hosts": [  "unix:///var/run/docker.sock",
                    "fd://"
                ]
    }

Then the second thing I found out is to prepare systemd socket by providing a file docker.sockst like this

[Unit] Description=Docker Socket for the API
PartOf=docker.service 

[Socket] 
ListenStream=tcp://0.0.0.0:2375 
SocketMode=0660 
SocketUser=root 
SocketGroup=docker 

[Install] 
WantedBy=sockets.target

But this will define only one TCP socket. According to one article then docker will respond to TCP port but no longer to the unix socket.

It would be nice if someone could point out the details.

Answer 1

So don't touch the docker.socket file or anything. Systemd has a concept of DropIns and you can override parts of the services using a dropin file.

So create the dropin folder for the service first

mkdir -p /etc/systemd/system/docker.service.d/

Then your create a config file

cat > /etc/systemd/system/docker.service.d/90-docker.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2375

The first ExecStart= blanks the original command and second ExecStart specifies the new command we want to override

Now we should restart the docker service

systemctl daemon-reload
systemctl restart docker

Now your service would also be listening at 2375. I believe currently the host option cannot be controlled using /etc/docker/daemon.json . See the below link for more details

https://docs.docker.com/engine/reference/commandline/dockerd/#docker-runtime-execution-options

Answer 2

1. cd /lib/systemd/system/
2. vim docker-tcp.socket

3. paste thie to docker-tcp.socket

    [Unit] Description=Docker Socket for the API PartOf=docker.service [Socket] ListenStream=2375 BindIPv6Only=both Service=docker.service [Install] WantedBy=sockets.target 

4. systemctl daemon-reload

5. systemctl stop docker.service
6. systemctl enable docker-tcp.socket
7. systemctl start docker-tcp.socket
8. systemctl start docker.service
9. verify 2375 port is opened docker -H 127.0.0.1 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Answer 3

I actually just posted this answer to an open issue on Github for PhotonOS. I created a gist with the instructions doc markdown as well as the equivalent shell script.

It allows for maintaining both local unix socket as well as remote TCP-based access to the API. Unlike most instructions, it follows the Docker supported method of creating the docker.socket service and binding it to docker service as a dependency, rather than hard-coding either/or TCP or unix fd sock on the command line, or hacking any system files that get overwritten at every upgrade.

Gist is at: https://git.io/fjhhO

Answer 4

To listen on both - socket and tcp:

1. create folder: /etc/systemd/system/docker.socket.d
2. create file 10-tcp.conf inside the folder with the content:

[Socket]
ListenStream=0.0.0.0:2375

3. restart everything:

systemctl daemon-reload
systemctl stop docker.socket
systemctl stop docker.service
systemctl start docker

Plus are:

• it us user space systemd drop-in, ie would not disappear after upgrade of the docker
• would allow to use both - socket and tcp connection