Windows Server 2016 TP5 - Docker server remote management

Hi!
I have Windows Server 2016 TP5 running with Docker. It is written here:
“Once setup, the most convenient approach is to use the Windows Server 2016 / Docker Engine combination remotely from a machine with development tools and editors installed (instead of trying to install them on Windows Server). This can be done by setting DOCKER_HOST to reference the Windows Server host on the development machine.”

However, if I type netstat -ano , there is no port 2375 or 2376 in use at all! Docker is not listening for remote connections.
From daemon.log I see just “API listen on //./pipe/docker_engine”

So how we can manage WS2016TP5 docker server remotely? Does Docker-machine has driver and supports it at all?

Thanks! :slight_smile:

The Docker daemon startup scripts for Windows check to see if a certificate is present. If not, it doesn’t open up port 2376. 2375 is never opened by default.

You can either:

  1. Set up the certs - see https://github.com/Microsoft/Virtualization-Documentation/tree/live/windows-server-container-tools/DockerTLS
  2. Modify C:\ProgramData\docker\runDockerDaemon.cmd, adding another -H option for the default port 2375. This isn’t recommended because no user authentication or encryption are used.

Hi Patrick, thanks.

Actually, what is written here is correct.

“The default startup behavior is to listen on only the named pipe, which will prevent remote connections.”

If I stop docker daemon, and start it with the command like below, It will be reachable remotely (without TLS in this case):
dockerd -H npipe:// -H tcp://0.0.0.0:2375

Next, I can manage it remotely and try to run windows container from another windows server this way:
docker -H tcp://10.10.10.123:2375 run -d microsoft/iis

However, everything fails here… and no single container is started. When I issue docker run command above, the output is like this:

docker: Error response from daemon: HCSShim::CreateComputeSystem failed in Win32: The operating system of the containerdoes not match the operating system of the host. (0xc0370101) (I use only x64 Windows OS here)

If I try to pull docker image, the error is this:

latest: Pulling from microsoft/iis
6ff3efb31344: Extracting [==================================================>] 2.522 kB/2.522 kB
10b3040784bb: Download complete
**docker: failed to register layer: layer does not exist.**

Any ideas? :slight_smile:

I guess you are trying to run in powershell ISE try Powershell directly

Have you installed the base images?

Here’s what I do (and note that this is not perfectly safe because I expose the Windows guest docker deamon on the host network without auth):

  1. Get TP5 set up (I use the core version with no desktop stuff)
  2. Attach with hyper-v manager or virtualbox
  3. Run sconfig and enable remote desktop
  4. remote desktop to the machine
  5. open the firewall for docker netsh advfirewall firewall add rule name="yolo" dir=in action=allow protocol=TCP localport=2376
  6. (not required) disable malware protection because it’s slow Set-MpPreference -DisableRealtimeMonitoring $true
  7. share c-drive: net share C=c: /GRANT:Everyone,FULL
  8. use favorite editor on host and edit C:\ProgramData\docker\runDockerDaemon.cmd (ProgramData is a hidden folder)
  9. Add -H 0.0.0.0:2376 to the non-secured daemon invocations - that makes the daemon listen on TCP unsecured.
  10. net stop docker and net start docker to pick up the config changes
  11. On the host set $Env:DOCKER_HOST="192.168.1.215:2376" (using the correct IP for your guest) and run docker version to make sure things are working.

runDockerDaemon.cmd:


@echo off
set certs=%ProgramData%\docker\certs.d

if exist %ProgramData%\docker (goto :run)
mkdir %ProgramData%\docker

:run
if exist %certs%\server-cert.pem (if exist %ProgramData%\docker\tag.txt (goto :secure))

if not exist %systemroot%\system32\dockerd.exe (goto :legacy)

dockerd -H npipe:// -H 0.0.0.0:2376
goto :eof

:legacy
docker daemon -H npipe:// -H 0.0.0.0:2376
goto :eof

:secure
if not exist %systemroot%\system32\dockerd.exe (goto :legacysecure)
dockerd -H npipe:// -H 0.0.0.0:2376 --tlsverify --tlscacert=%certs%\ca.pem --tlscert=%certs%\server-cert.pem --tlskey=%certs%\server-key.pem
goto :eof

:legacysecure
docker daemon -H npipe:// -H 0.0.0.0:2376 --tlsverify --tlscacert=%certs%\ca.pem --tlscert=%certs%\server-cert.pem --tlskey=%certs%\server-key.pem

Some updated instructions:

  1. Get TP5 set up (I use the core version with no desktop stuff)
  2. Attach with hyper-v manager or virtualbox
  3. Run sconfig and enable remote desktop
  4. remote desktop to the machine
  5. open the firewall for docker netsh advfirewall firewall add rule name=“yolo” dir=in action=allow protocol=TCP localport=2376
  6. (not required) disable malware protection because it’s slow Set-MpPreference -DisableRealtimeMonitoring $true
  7. Install Docker as per here: https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start_windows_server - when you run --register-service, pass -H and bind to host port: .\dockerd.exe -H 0.0.0.0:2376 --register-service
  8. On the host set $Env:DOCKER_HOST=“192.168.1.215:2376” (using the correct IP for your guest) and run docker version to make sure things are working.

I followed the “Windows Containers on Windows Server” quickstart to get Windows Server 2016 successfully set up to run Docker, but I’m still unable to get the VirtualBox VM to function as a DOCKER_HOST for Docker on my Mac. All the instructions given above did was make Docker stop working in Windows 2016.

For instance, running dockerd -H 0.0.0.0:2376 --register-service just erred with time="2018-03-02T23:45:24+01:00" level=fatal msg="The specified service already exists.". Trying to delete the service and running that command again made any docker command fail with the following error message:

error during connect: Get http://%2f%2f.%2fpipe%2fdocker_engine/v1.30/version: open //./pipe/docker_engine: The system cannot find the file specified. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.

I’ve not even managed to get Remote Desktop working on this Windows Server 2016 instance. Connecting with Microsoft Remote Desktop to the IP address of the VM just ends in an error.

Lastly, the $Env:DOCKER_HOST="..." instruction given won’t work on anything but a Windows host and also won’t work for me since I don’t want to run all Docker images on Windows Server 2016. I only want to run the Octopus Deploy Docker image on Windows through docker-compose up on my Mac. Is it possible to assign a different DOCKER_HOST per Docker image configured in docker-compose.yml?