docker-in-docker: `Cannot connect to the Docker daemon at tcp://docker:2375`

I am trying to manually use the docker:19.03.5-dind image as shown by the "How to use this image" section.

  • First I am running the daemon

    $ docker run --privileged -d --rm --name=docker-daemon \
                 --network=test  docker:19.03.5-dind
  • I see that it is up and listens on port 2376

    $ docker logs docker-daemon
    time="2019-11-28T11:31:40.266976728Z" level=info msg="Daemon has completed initialization"
    time="2019-11-28T11:31:40.550083421Z" level=info msg="API listen on [::]:2376"
    time="2019-11-28T11:31:40.550169911Z" level=info msg="API listen on /var/run/docker.sock"
  • Next I bring up the docker client:

    $ docker run -it --rm --name=my-docker \
          --network=test --link=docker-daemon:docker docker:19.03.5
  • From the client I can ping the docker-daemon and its docker alias

    # ping docker-daemon -c1
    PING docker-daemon ( 56 data bytes
    64 bytes from seq=0 ttl=64 time=0.146 ms
    # ping docker -c1
    PING docker ( 56 data bytes
    64 bytes from seq=0 ttl=64 time=0.177 ms
  • But still I can't run docker:

    # docker ps
    Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?

Shouldn't it try to connect on port 2376? What am I missing here?

My host running Ubuntu 18.04 with Docker version 18.09.7, build 2d0083d

You need to follow the steps from the linked documentation that include mounting the certificate directory as a volume in both containers, and passing the env variable on the client container:

$ docker run --privileged --name some-docker -d \
    --network some-network --network-alias docker \
    -e DOCKER_TLS_CERTDIR=/certs \
    -v some-docker-certs-ca:/certs/ca \
    -v some-docker-certs-client:/certs/client \

$ docker run --rm --network some-network \
    -e DOCKER_TLS_CERTDIR=/certs \
    -v some-docker-certs-client:/certs/client:ro \
    docker:latest version

The first image populates the volume mount, and the second images uses those certificates to communicate over 2376. Without the certificates, it is trying to connect to the unencrypted 2375 port which is not enabled by default in the 19.03 dind images.