docker-in-docker: `Cannot connect to the Docker daemon at tcp://docker:2375`

english
#1

I am trying to manually use the docker:19.03.5-dind image as shown by the "How to use this image" section.

  • First I am running the daemon

    $ docker run --privileged -d --rm --name=docker-daemon \
             --network=test  docker:19.03.5-dind
e1f8544d30df5bc010d67e38b38be0f47306b29ab0fdeb32861c5716582c9917

  • I see that it is up and listens on port 2376

    $ docker logs docker-daemon
...
time="2019-11-28T11:31:40.266976728Z" level=info msg="Daemon has completed initialization"
time="2019-11-28T11:31:40.550083421Z" level=info msg="API listen on [::]:2376"
time="2019-11-28T11:31:40.550169911Z" level=info msg="API listen on /var/run/docker.sock"

  • Next I bring up the docker client:

    $ docker run -it --rm --name=my-docker \
      --network=test --link=docker-daemon:docker docker:19.03.5

  • From the client I can ping the docker-daemon and its docker alias

    # ping docker-daemon -c1
PING docker-daemon (172.20.0.2): 56 data bytes
64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.146 ms
...
# ping docker -c1
PING docker (172.20.0.2): 56 data bytes
64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.177 ms
...

  • But still I can't run docker:

    # docker ps
Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?

Shouldn't it try to connect on port 2376? What am I missing here?

My host running Ubuntu 18.04 with Docker version 18.09.7, build 2d0083d

#2

You need to follow the steps from the linked documentation that include mounting the certificate directory as a volume in both containers, and passing the env variable on the client container:

$ docker run --privileged --name some-docker -d \
    --network some-network --network-alias docker \
    -e DOCKER_TLS_CERTDIR=/certs \
    -v some-docker-certs-ca:/certs/ca \
    -v some-docker-certs-client:/certs/client \
    docker:dind

$ docker run --rm --network some-network \
    -e DOCKER_TLS_CERTDIR=/certs \
    -v some-docker-certs-client:/certs/client:ro \
    docker:latest version

The first image populates the volume mount, and the second images uses those certificates to communicate over 2376. Without the certificates, it is trying to connect to the unencrypted 2375 port which is not enabled by default in the 19.03 dind images.