Use of docker:dind in docker-compose

Question

So for some reason, I'd like to use a docker:dind inside a docker-compose.yml. I know that the "easy" way is to mount directly the socket inside the image (like that : /var/run/docker.sock:/var/run/docker.sock) but I want to avoid that (for security reasons).

Here is my experimental docker-compose.yml :

version: '3.8'
services:
     dind:
       image: docker:19.03.7-dind
       container_name: dind
       restart: unless-stopped
       privileged: true
       environment: 
         - DOCKER_TLS_CERTDIR=/certs
       volumes: 
         - dind-certs-ca:/certs/ca
         - dind-certs-client:/certs/client
       networks: 
         - net
       expose: 
         - 2375 
         - 5000

volumes:
  dind-certs-ca:
  dind-certs-client:
networks:
  net:
    driver: bridge

Nothing complexe here, then I try to see if the service is correctly set :

docker logs dind

Here no problem it is up and running. However, once I try to use it with for instance :

docker run --rm -it --network net --link dind:docker docker version

I got the following error :

Cannot connect to the Docker deamon at tcp://docker:2375. Is there a deamon running ?

Do you have any idea why the deamon is not responding ?

---------------------------------------------------------- EDIT ----------------------------------------------------------

Following hariK's comment (thanks by the way) I add the port 2376 to the exposed one. I think I'm neer solving my issue. Here is the error that I get :

error during connect: Get http://docker:2375/v1.40/version dial tcp: lookup on docker on [ip]: no such host

So I look at this error and found that it seems to be a recurrent one on dind versions (there is a lot of issues on gitlab on it like this one). There is also a post on stackoverflow on a similar issue for gitlab here.

For the workaround I tried :

1. Putting this value DOCKER_TLS_CERTDIR: "" hopping to turn off TLS ... but it failed
2. Downgrading the version to docker:18.05-dind. It actualy worked but I don't think it's a good move to make.

If someone has an idea to keep TLS ON and make it works it would be great :) (I'll still be looking on my own but if you can give a nudge with interesting links it would be cool ^^)

Answer 1

To use Docker with disabled TLS (i.e. TCP port 2375 by default), unset the DOCKER_TLS_CERTDIR variable in your dind service definition in Docker Compose, like:

  dind:
    image: docker:dind
    container_name: dind
    privileged: true
    expose:
    - 2375
    environment:
    - DOCKER_TLS_CERTDIR=

(NB: do not initialize it to any value like '' or "")