Docker Community Forums

Share and learn in the Docker community.

[Resolved] Creating machine on AWS

(Rdesgrange) #1


I’m trying to set up docker host on AWS with docker machine. Docker-machine is 0.6. The command is the following:

docker-machine create -d amazonec2 --amazonec2-region=eu-west-1 --amazonec2-vpc-id=vpc-c3c9c7a6 --amazonec2-subnet-id=subnet-d18474b5 --amazonec2-security-group=DockerSwarm --amazonec2-use-private-address AwsTestMachine1
the output is the following :

Running pre-create checks...
Creating machine...
(keystore) Launching instance...
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Provisioning with ubuntu(systemd)...
Installing Docker...

Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Checking connection to Docker...
Error creating machine: Error checking the host: Error checking and/or regenerating the certs: There was an error validating certificates for host "": dial tcp i/o timeout
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which will stop running containers.
I can ssh on the machine with `docker-machine ssh AwsTestMachine1`. docker works well on the machine created. I tried to regenerate the certificate (which is working). Is there any magical AWS args that I am missing here.

In advance thanks.

(Nathan Le Claire) #2

If you use the --amazonec2-use-private-address flag you must ensure that you are running the create from somewhere that private address ( in this case) will be reachable, e.g. in the same subnet with proper access permissions configured. Are you doing so?

(Rdesgrange) #3

Yes yes, I can ssh the machine (with docker-machine ssh AwsTestMachine1) and ping it, the machine that run the docker-machine is in the same subnet.

This morning I recreated successfully a machine on AWS. Tried another one and it fail so it seems that this is random for me…

(Rdesgrange) #4

Ok this was puppet error, puppet apply some firewall rules on my host running docker-machine, and this break everything, my bad sorry

(Nathan Le Claire) #5

No problem glad to hear it worked out!

(Dvohra) #6

For Docker to communicate over the network.

  1. Stop Docker
    sudo service docker stop

  2. Add following line to /etc/default/docker, which may be opened in vi editor.

DOCKER_OPTS="-H tcp:// -H unix:///var/run/docker.sock"

  1. Start Docker
    sudo service docker start

(David Maze) #7

There is a very very very important step of firewalling off port 2375 in some form before you do this. Otherwise, nothing stops me from running

DOCKER_HOST= docker run --rm -it -v /:/host ubuntu:14.04 bash

and pwning your box. (Being in a controlled environment like an Amazon VPC is some help, but I’d never open up something that gave unrestricted unauthenticated access to the root filesystem like this to the network.)

(Nathan Le Claire) #8

Yeah, please don’t expose Docker API without TLS. It’s the whole reason we go through the whole song and dance to generate certs in the first place: To keep you safe.