Cannot connect to cluster created with swarm mode

trondhindenes · June 28, 2016, 5:12am

I followed the instructions at https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ to setup the first node in my swarm cluster.

Problem is, I’m unable to remotely connect to it. I’m using the same ports as in the example, and the client simply responds with a "malformed HTTP response “\x15\x03\x01\x00\x02\x02” when attempting to connect.

My manager node is configured with ssh password rather than key, so at this point I have no idea where (if it even exists) I can find the key that lets me connect. Am I stupid or are the docs missing something?

charlessmith · June 28, 2016, 5:28pm

@trondhindenes , what do you mean you’re unable to remotely connect to the machine? What command are you running and where?

You need to SSH into your manager machine and run docker swarm init locally to the machine.
Also you need to have Docker Engine 1.12 installed on the manager machine.

HTH,

Charles

dvohra · June 29, 2016, 4:45pm

Is the Swarm Manager listening for HTTP on address :2375 with tcp protocol?

royeectu · July 4, 2016, 11:11am

Hi,

I have the same issue, I’m running 1 manager and 2 workers on EC2 instances.
Which certificate do I need to use in order to connect my client (export DOCKER_CERT_PATH=)
I guess that when I ran the docker swarm init command it created the certificate…

[root@swarm-manger01 ~]# docker version
Client:
Version: 1.12.0-rc2
API version: 1.24
Go version: go1.6.2
Git commit: 906eacd
Built:
OS/Arch: linux/amd64
Experimental: true

Server:
Version: 1.12.0-rc2
API version: 1.24
Go version: go1.6.2
Git commit: 906eacd
Built:
OS/Arch: linux/amd64
Experimental: true
[root@swarm-manger01 ~]# docker node ls
ID NAME MEMBERSHIP STATUS AVAILABILITY MANAGER STATUS
0dziu2i0qrzgmpwx2j10m7eyy ip-10-1-11-24.ec2.internal Accepted Ready Active
1ye03pfxm8ncq9qnd0hh2knsa * swarm-manger01 Accepted Ready Active Leader
bd2rog6weod3xylegn0d98y3j ip-10-1-11-23.ec2.internal Accepted Ready Active
[root@swarm-manger01 ~]# netstat -nlp | grep -i docker
tcp 0 0 10.1.11.25:7946 0.0.0.0:* LISTEN 784/dockerd
tcp6 0 0 :::2377 :::* LISTEN 784/dockerd
udp 0 0 10.1.11.25:7946 0.0.0.0:* 784/dockerd
unix 2 [ ACC ] STREAM LISTENING 21525 1158/docker-contain /var/run/docker/libcontainerd/docker-containerd.sock
unix 2 [ ACC ] STREAM LISTENING 22935 784/dockerd /var/lib/docker/network/files/a5330a36d1b4aa440e1ad06113e28f88da84418232bd51f622bf1e05b2618805.sock
unix 2 [ ACC ] STREAM LISTENING 23430 784/dockerd /var/lib/docker/swarm/control.sock
unix 2 [ ACC ] STREAM LISTENING 17570 1/systemd /var/run/docker.sock
[root@swarm-manger01 ~]#

royee@Royees-MacBook-Pro-2 ~> export DOCKER_HOST=XX.XXX.XX.XXX:2377
royee@Royees-MacBook-Pro-2 ~> docker version
Client:
Version: 1.12.0-rc2
API version: 1.24
Go version: go1.6.2
Git commit: 906eacd
Built: Fri Jun 17 20:35:33 2016
OS/Arch: darwin/amd64
Experimental: true
Get http://XX.XXX.XX.XXX:2377/v1.24/version: malformed HTTP response “\x15\x03\x01\x00\x02\x02”.

Are you trying to connect to a TLS-enabled daemon without TLS?

charlessmith · July 13, 2016, 7:08pm

@yoreectu you don’t connect directly to the swarm from your client. You run the commands on the manager. In your case swarm-manger01 .

royeectu · July 13, 2016, 8:43pm

@charlessmith what do you mean when you say: “you run the commands on the manager”? Does it mean that I need to ssh my swarm-manger01 and then to run docker commands?
What about exporting the DOCKER_HOST environment variable? Can’t I use it?

charlessmith · July 13, 2016, 8:53pm

The TLS for swarm mode is for node to node communication internally to the swarm. You can’t use that to connect from a remote client.

The tutorial is written from the perspective of SSH-ing into the machine and running the commands locally there.

If you want to connect a remote client to the manager node, you would need to set that up the same way as you would before in Docker 1.11.

Jus to be sure I verified with engineering. If docker version is not working between the client and the remote manager, this is not a swarm mode-specific issue.

finkes · August 8, 2016, 8:27am

@charlessmith so this means I have to use my own CA/certificates again to remotely communicate with the cluster? Or is there a simpler way?

mdaniels · August 8, 2016, 1:43pm

You can bind the docker daemon running on your swarm manager nodes to a TCP port and communicate with it insecurely via docker -H tcp://x.x.x.x:2375 but is it not recommended for production. For testing it should be ok.

jega · February 1, 2018, 1:26pm

I’m try to setup CI & CD for my dev server using gitlab.com, but i could not make it. Getting the below error.

Environment : AWS EC2

OS : Ubuntu 16.

ubuntu@bookeiz:~/swarm$ sudo docker --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=localhost:2377 version 
Client:
 Version:      17.03.0-ce
 API version:  1.26
 Go version:   go1.7.5
 Git commit:   3a232c8
 Built:        Tue Feb 28 08:01:32 2017
 OS/Arch:      linux/amd64
error during connect: Get https://localhost:2377/v1.26/version: x509: certificate is valid for swarm-manager, rocu0uma3ty5mqvz3hkbdhdjn, swarm-ca, not localhost

And
Followed this tutorials https://docs.docker.com/engine/security/https/#secure-by-default

I’m getting the below error

ubuntu@bookeiz:~/swarm$ sudo dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem   -H=0.0.0.0:2377
Error starting daemon: pid file found, ensure docker is not running or delete /var/run/docker.pid