• notice
  • Congratulations on the launch of the Sought Tech site

"Docker" - Configure port monitor (to allow Docker Engine API access) @ 20210220

Problem description

We need to call the Docker Engine API to get some data, mainly for debugging and viewing.(In program integration, you should use class libraries instead of directly calling the interface)

But Docker listens to Unix Domain Socket files by default, so the Postman interface debugging tool cannot be used.The solution is to make the Docker service listen on the TCP port.

This note will record: How to make the Docker service listen to the TCP port.

Notes

Although Insomnia Designer can access the Unix Domain Socket file, it still makes sense to enable TCP monitoring of the Docker service.

In the following demonstration, we perform UDS and TCP monitoring at the same time, which can be adjusted according to the actual situation.

We use Debian GNU/Linux 10 (buster) as the test environment, but it should also be suitable for other Linux distributions.

Solution

We have the following solutions:
1) Modify the docker.service configuration; (applicable to the setting during installation, there is no running container at this time)
2) Enable the docker live-restore configuration, then Re-modify; (applicable to production environment)
3) Use Nginx reverse proxy; (this solution is non-invasive to docker and has strong operability)

Scheme 1: Modify docker.service configuration (normal method)

// Modify the docker.service configuration, add the following configuration

# systemctl edit docker.service
[Service]
ExecStart=
ExecStart=/usr/sbin/dockerd -H fd:// -H tcp://127.0.0.1:2375 $DOCKER_OPTS

// restart service

# systemctl restart docker.service

// Test interface

# curl http://127.0.0.1:2375/v1.39/containers/json
[]

Notes:
1) We only listen on the 127.0.0.1:2375 port for testing, so the external host cannot access it.If you need external host access, you can modify it to 0.0.0.0:2375 address, but you need to make network security settings or enable TLS authentication.
2) In the test host, since there is no running container, the final test interface returns an empty array ([]);

Scheme two, for production environment (complex operation, but recommended)

Enable TCP port 2375 for external connection to Docker
dockerd | Docker Documentation
Keep containers alive during daemon downtime | Docker Documentation
How do I expose the docker API over TCP?-Server Fault
sudo-How to resolve "service start-limit-hit"-Ask Ubuntu

In a production environment, we cannot restart the Docker service, otherwise the container will stop.When the container is stopped, we not only have to deal with the stopped container, but also other related issues (such as the order of container startup dependencies).

Steps

The following are the steps to solve the problem (please understand the meaning of the steps before proceeding):

// Enable the live-restart function, so that the restart of docker will not cause containerd to end the container

# vim /etc/docker/daemon.json
{
  ...
    "live-restore": true,
  ...
}

// Make the live-restore configuration effective

# systemctl reload docker.service

// Add configuration to make dockerd monitor TCP (new) and UDS (original)

# vim /etc/docker/daemon.json
{
  ...
    "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
  ...
}

// Modify the docker.service file and add the following configuration.Here just delete the -H fd:// option (because -H cannot coexist with hosts)

# systemctl edit docker.service
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock

// restart service
// Note: When restarting, the service will be interrupted (because docker-proxy restarted, but not because the container stopped)

# systemctl restart docker.service

// Access verification

# curl http://127.0.0.1:2375/v1.39/containers/json

Explanation

The following points need to be understood here:
1) docker client => docker server => containerd => our containers
2) And the role of live-restore is to "strip" dockerd and containerd services Influence relationship;

When the live-restore feature is enabled, use the killall -KILL dockerd service, the container will not stop, only the dockerd and docker-proxy services will be stopped, so there will be interruptions (this is a network interruption).

But when dockerd is started again, 1) will connect to the containerd service and continue to manage the original container, 2) start the docker-proxy service, that is, the network is restored.

Notes

So the disadvantage of this method is "short service interruption" (the interruption time is about the systemctl restart docker.service restart time), but it is better than "directly restarting the docker service and processing the stopped container".

docker.service: Failed with result'start-limit-hit'.
1) This error is usually not encountered because we frequently execute systemctl restart docker.service authenticating.
2) It can be solved by executing systemctl reset-failed docker.service

Scheme three, use Nginx proxy

The trouble with modifying docker.service is that it will affect the upgrade, even if you use systemctl edit docker.service, there may be this problem.

At this time, it can be solved by Nginx reverse proxy Unix Socket (no detailed explanation here, configuration can be done according to the actual situation):

server {
listen 127.0.0.1:9000;
location / {
proxy_pass http://unix:/var/run/docker.sock:/;
}
}

This method does not need to modify any Docker configuration at all, but the introduction of Nginx may add some complexity.

Additional instructions

About the fd:// parameter: It does not tell Docker to open UDS monitoring, but systemd processes and passes it to the Docker service.You can directly execute the ExecStart command in the command line for verification.—— sockets-what does fd:// mean exactly in dockerd -H fd://-Stack Overflow

References

Develop with Docker Engine API | Docker Documentation
api-How to make docker listening to unix and TCP socket under centos with systemd-Stack Overflow
Proxy a unix socket HTTP server to a tcp port using nginx.

Tags

Technical otaku

Sought technology together

Related Topic

1 Comments

author

buy generic lipitor 80mg & lt;a href="https://lipiws.top/"& gt;atorvastatin 40mg over the counter& lt;/a& gt; order atorvastatin 20mg online cheap

Pemgna

2024-03-07

Leave a Reply

+