Docker remote daemon (TCP): Cannot connect to the Docker daemon

Question

I'm trying to connect a docker daemon from a client to a remote host via TCP but I'm getting this error:

docker -H tcp://{{HOST_IP}}:2375 ps

Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?

What could be possible reasons for that? What is a proper debugging approach for finding a solution?

• System: Ubuntu 18.04 (client and host)
• ufw: enabled for all incoming & outgoing (for testing purposes)
• access rights: working with root on client & host

WHAT I DID

On host:

systemctl edit docker.service

Add and save these lines:

[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375

Reload daemon:

systemctl daemon-reload

Restart docker:

systemctl restart docker.service

Check if it worked:

netstat -lntp | grep dockerd

Result:

tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      3758/dockerd

Test with docker:

docker -H tcp://127.0.0.1:2375 ps

Everything worked on the host. However, when I'm trying to connect from the client with the remote host I'm getting an error.

On client:

docker -H tcp://{{HOST_IP}}:2375 ps

Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?

Connecting via ssh works:

docker -H ssh://root@{{HOST_IP}} ps

Answer 1

You have the Docker daemon listening on the localhost address, 127.0.0.1. You won't be able to connect to that from a remote host. The only host that can connect to that address is...the local host.

To have the Docker daemon accept connections from remote hosts, you probably want:

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

That means, "listen for connections from all hosts". But you don't really want that, because that would grant unauthenticated root access to your system to anyone who was able to connect to that port. You could use iptables to limit access to only particular remote hosts, but it's still a problem, because anybody able to access any of those hosts would have, againt, unauthenticated root access to your Docker host.

What you really want to do is to read through "Protect the Docker daemon socket", which discusses how to set up certificate-based authentication for remote connections to the Docker daemon. Unlike the examples in your question, the configuration discussed in that document requires clients to authenticate using an SSL certificate.

This is much more more secure than permitting unauthenticated access from anywhere, and it is somewhat more than allowing unauthenticated access from specific hosts (because filesystem ownership and permissions can be used to restrict access to the SSL private keys required to grant access to the docker daemon).