docker.socket: Failed with result 'service-start-limit-hit' after protecting docker daemon socket

Question

I followed the steps provided in the documentation here to add tls security for docker api. Certificates are located in ~/.docker/ as well as /etc/docker/ssl/ folders. I added override.conf to /etc/systemd/system/docker.service.d/ with content

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem

Then, I used daemon-reload and docker start

$ systemctl daemon-reload
$ service docker start

The errors in journalctl -xe is:

-- Unit docker.socket has finished starting up.
-- 
-- The start-up result is RESULT.
Jan 15 21:43:24 cynicalplyaground systemd[1]: docker.service: Start request repeated too quickly.
Jan 15 21:43:24 cynicalplyaground systemd[1]: docker.service: Failed with result 'exit-code'.
Jan 15 21:43:24 cynicalplyaground systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit docker.service has failed.
-- 
-- The result is RESULT.
Jan 15 21:43:24 cynicalplyaground systemd[1]: docker.socket: Failed with result 'service-start-limit-hit'.
Jan 15 21:45:01 cynicalplyaground CRON[12768]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 15 21:45:01 cynicalplyaground CRON[12769]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 15 21:45:01 cynicalplyaground CRON[12768]: pam_unix(cron:session): session closed for user root

How can I sort this issue?

Answer 1

In the present case the same error occured after the latest manjaro update (2020-01-20).
Tried to change the systemd docker service, as adviced in other cases, but I reverted those changes and finally this was solved with:

• a reboot of the system

(like advised here: https://www.reddit.com/r/archlinux/comments/7ya4ug/installing_docker_on_arch_linux/)

Answer 2

For me it was because the docker installer uses iptables for nat. Unfortunately Debian uses nftables. You can convert the entries over to nftables or just setup Debian to use the legacy iptables.

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

dockerd, should start fine after switching to iptables-legacy.

Answer 3

Getting to the root of the problem;

systemctl status docker.service

has this: /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Trying to run that command, it complains about unable to configure the Docker daemon with file /etc/docker/daemon.json: EOF

ls -l /etc/docker/daemon.json -rw-r--r-- 1 root root 0 Jul 30 10:32 /etc/docker/daemon.json

NOTE that the JSON file is empty. Delete it.

Answer 4

I have the same issue and just modify the "/usr/bin/dockerd" to "/usr/sbin/dockerd", then it works. You can check the dockerd path first.