Bug 1290588 - Docker daemon in the CDK is not accessible outside the vagrant image
Summary: Docker daemon in the CDK is not accessible outside the vagrant image
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Container Development Kit (CDK)
Classification: Red Hat
Component: distribution
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 2.0
Assignee: Praveen Kumar
QA Contact: David Kutálek
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-10 21:27 UTC by Keith Babo
Modified: 2016-03-29 07:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-29 07:38:46 UTC
Target Upstream Version:
Embargoed:
prkumar: needinfo-
prkumar: needinfo-

Attachments (Terms of Use)

Description Keith Babo 2015-12-10 21:27:35 UTC 
Description of problem:
Docker daemon in the CDK is not accessible outside the vagrant image.  According to the output of 'vagrant adbinfo', the Docker daemon should be available:

export DOCKER_HOST=tcp://10.1.2.2:2376

I don't see anything abound to 2376 when the vagrant image is up and /etc/sysconfig/docker does not include the -H host binding directive.  Looking at the daemon process I see:

/usr/bin/docker daemon --selinux-enabled --storage-opt dm.no_warn_on_loop_devices=true --storage-driver devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/VolGroup00-docker--pool --add-registry rcm-img-docker01.build.eng.bos.redhat.com:5001 --add-registry registry.access.redhat.com --insecure-registry rcm-img-docker01.build.eng.bos.redhat.com:5001 --insecure-registry 172.30.0.0/16


Version-Release number of selected component (if applicable):
CDK 2 Beta 3

How reproducible:
Always

Steps to Reproduce:
1. 'vagrant up' in the rhel-ose directory of the CDK 
2. capture required env vars with 'vagrant adbinfo' and export them
3. invoke any docker client command outside the vm (e.g. 'docker ps')

Actual results:
docker command cannot connect to daemon.

Expected results:
Ability to use docker client commands like 'docker ps' and 'docker build' outside the vagrant image.

Additional info:
I'm able to work around this issue by updating /etc/sysconfig/docker to include the following in the OPTIONS var:
 -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375

Is this an appropriate workaround or is there a preferred alternative?
Comment 3 Keith Babo 2015-12-15 14:15:10 UTC 
Thanks for the detailed reply and the quick fix!  I tested with the above settings and noticed that the cert used by the Docker daemon in the CDK appears to use 127.0.0.1 in its CN vs. the IP used by the Docker client outside the Vagrant image (10.1.2.2). 

Here's the output from any docker client command outside the VM (e.g. 'docker info'):

An error occurred trying to connect: Get https://10.1.2.2:2376/v1.20/containers/json: x509: certificate is valid for 127.0.0.1, not 10.1.2.2

The only workarounds I can think of here are either:
a) Disable tlsverify for the Daemon.
b) Generate a new set of self-signed certs.

Is there another option?
Comment 8 Navid Shaikh 2016-01-20 15:38:12 UTC 
@Keith: Should this bug be closed ?
Comment 10 Praveen Kumar 2016-03-29 07:38:46 UTC 
This was happened due to VagrantFile option in beta-3 and it is now resolved. Closing this bug as 'worksforme'.
Note You need to log in before you can comment on or make changes to this bug.