machine icon indicating copy to clipboard operation
machine copied to clipboard

Published 20 hours ago verified publisher icon docker

Managing local unix-socket based docker via docker-machine

Open jleskovar opened this issue 9 years ago • 11 comments

Hi there,

For the sake of consistency, I'd like to have my local docker be managed via docker-machine. When I try to create and use my local docker-machine using the 'none' driver:

docker-machine create -d none --url=unix:///var/run/docker.sock localhost
eval "$(docker-machine env)"

I end up with: FATA[0000] Couldn't read ca cert /home/james/.docker/machine/machines/localhost/ca.pem: open /home/james/.docker/machine/machines/localhost/ca.pem: no such file or directory

To get around this, I have to manually unset DOCKER_TLS_VERIFY just for my localhost docker, which is kind of annoying. Are there plans to add the ability to disable TLS when creating a docker-machine using -d none?

jleskovar avatar Jun 28 '15 04:06 jleskovar

What about just adding the host without specifying the driver? docker-machine create --url=unix:///var/run/docker.sock localbox

$ docker-machine create --url=unix:///var/run/docker.sock localbox
$ docker-machine env localbox
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH="/Users/myuser/.docker/machine/machines/localbox"
export DOCKER_HOST=unix:///var/run/docker.sock

# Run this command to configure your shell: eval "$(docker-machine env localbox)"

ps: I'm on MacOSX so I don't have an actual docker daemon running on the above mentioned socket. However it didn't complain about certs during the eval.

TeckniX avatar Jun 29 '15 22:06 TeckniX

Adding the host without specifying the driver is the same as -d none, AFAIK... Just to clarify, I get the CA cert error when I attempt to run any docker commands after running the eval:

$ eval "$(docker-machine env)"
$ docker ps
Couldn't read ca cert /home/development/.docker/machine/machines/localbox/ca.pem: open /home/development/.docker/machine/machines/localbox/ca.pem: no such file or directory

The problem is that since DOCKER_TLS_VERIFY=1 gets set as part of the eval, the client will attempt to use TLS to talk to the local daemon via the unix socket, which fails as I haven't setup any certs for my local daemon.

jleskovar avatar Jun 29 '15 23:06 jleskovar

I'm a fan of detecting any hosts listening at /var/run/docker.sock and displaying them in docker-machine ls by default, so maybe we can make this work somehow.

nathanleclaire avatar Jul 06 '15 22:07 nathanleclaire

Any workaround for this? I cannot use docker virtualbox machines on windows at all due to certificate signed by unknown authority

docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository docker.io/library/hello-world
Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority

dkirrane avatar Feb 04 '16 12:02 dkirrane

Normally if you are managing local stuff you can just not use docker-machine. I wanted to use PyCharm with docker, and PyCharm only manages docker via docker-machine. In this case I could work around it, to some degree, by writing a fake docker-machine shell script that emulated docker-machine for local docker.

dobesv avatar Feb 05 '16 02:02 dobesv

@dobesv - could I grab a copy of that script, I have exactly the same use case :-)

martynsmith avatar Feb 17 '16 21:02 martynsmith

@martynsmith

You can get the script in the PyCharm issue tracker: https://youtrack.jetbrains.com/issue/PY-17454

dobesv avatar Feb 18 '16 05:02 dobesv

Can I +1 this? I use HSM-based (Yubikey Neo) SSH keys for my remote hosts and am not a fan of using filesystem files (client keys/certs), especially unencrypted ones, for auth to my docker hosts (malware could easily steal them). I'm currently using a wacky gpg-agent+socat+ssh setup to create local sockets that run over a persistent, key-based ssh link to the remotes - I talk to docker only over the socket and not via TLS.

I use multiple hosts this way, with different local socket paths.

Being able to just add local socket paths (with env showing DOCKER_TLS_VERIFY=0) to docker-machine would be awesome, because then I can fit them into my existing docker-machine env workflows.

sneak avatar Apr 08 '16 14:04 sneak

Any progress on this?

user@host:~$ docker-machine create localhost -d none --url unix:///var/run/docker.sock
Running pre-create checks...
Creating machine...
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env localhost
user@host:~$ docker-machine ls
NAME        ACTIVE   DRIVER   STATE     URL                           SWARM   DOCKER     ERRORS
localhost   -        none     Running   unix:///var/run/docker.sock           v18.09.0   
user@host:~$ docker-machine env localhost
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "": dial tcp: missing address
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

user@host:~$ docker --version
Docker version 18.09.0, build 4d60db4
user@host:~$ docker-machine --version
docker-machine version 0.16.0, build 702c267f
user@host:~$

msangel avatar Jan 03 '19 04:01 msangel

Even after more than five years, this feature is still needed.

I need to create an instance that could be managed from my host using the standard /var/run/docker.sock socket so that applications could use it.

Something like:

docker-machine create default --driver vmware --url unix:///var/run/docker.sock

But it's returning flag provided but not defined: -url.

marfier avatar Oct 29 '20 12:10 marfier

docker-machine is abandonware, and Docker the company seems more interested in shipping proprietary, closed-source spyware (such as Docker Desktop, or Docker for Windows) than things like docker-machine.

It's time to find a new tool.

sneak avatar Oct 29 '20 16:10 sneak