Bug 1290588 - Docker daemon in the CDK is not accessible outside the vagrant image
Docker daemon in the CDK is not accessible outside the vagrant image
Status: CLOSED WORKSFORME
Product: Container Development Kit (CDK)
Classification: Red Hat
Component: distribution (Show other bugs)
2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 2.0
Assigned To: Praveen Kumar
David Kutálek
Vikram Goyal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-10 16:27 EST by Keith Babo
Modified: 2016-03-29 03:38 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-29 03:38:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
prkumar: needinfo-
prkumar: needinfo-


Attachments (Terms of Use)

  None (edit)
Description Keith Babo 2015-12-10 16:27:35 EST
Description of problem:
Docker daemon in the CDK is not accessible outside the vagrant image.  According to the output of 'vagrant adbinfo', the Docker daemon should be available:

export DOCKER_HOST=tcp://10.1.2.2:2376

I don't see anything abound to 2376 when the vagrant image is up and /etc/sysconfig/docker does not include the -H host binding directive.  Looking at the daemon process I see:

/usr/bin/docker daemon --selinux-enabled --storage-opt dm.no_warn_on_loop_devices=true --storage-driver devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/VolGroup00-docker--pool --add-registry rcm-img-docker01.build.eng.bos.redhat.com:5001 --add-registry registry.access.redhat.com --insecure-registry rcm-img-docker01.build.eng.bos.redhat.com:5001 --insecure-registry 172.30.0.0/16


Version-Release number of selected component (if applicable):
CDK 2 Beta 3

How reproducible:
Always

Steps to Reproduce:
1. 'vagrant up' in the rhel-ose directory of the CDK 
2. capture required env vars with 'vagrant adbinfo' and export them
3. invoke any docker client command outside the vm (e.g. 'docker ps')

Actual results:
docker command cannot connect to daemon.

Expected results:
Ability to use docker client commands like 'docker ps' and 'docker build' outside the vagrant image.

Additional info:
I'm able to work around this issue by updating /etc/sysconfig/docker to include the following in the OPTIONS var:
 -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375

Is this an appropriate workaround or is there a preferred alternative?
Comment 3 Keith Babo 2015-12-15 09:15:10 EST
Thanks for the detailed reply and the quick fix!  I tested with the above settings and noticed that the cert used by the Docker daemon in the CDK appears to use 127.0.0.1 in its CN vs. the IP used by the Docker client outside the Vagrant image (10.1.2.2). 

Here's the output from any docker client command outside the VM (e.g. 'docker info'):

An error occurred trying to connect: Get https://10.1.2.2:2376/v1.20/containers/json: x509: certificate is valid for 127.0.0.1, not 10.1.2.2

The only workarounds I can think of here are either:
a) Disable tlsverify for the Daemon.
b) Generate a new set of self-signed certs.

Is there another option?
Comment 8 Navid Shaikh 2016-01-20 10:38:12 EST
@Keith: Should this bug be closed ?
Comment 10 Praveen Kumar 2016-03-29 03:38:46 EDT
This was happened due to VagrantFile option in beta-3 and it is now resolved. Closing this bug as 'worksforme'.

Note You need to log in before you can comment on or make changes to this bug.