如何在 WSL2 上公开 Docker TCP 套接字? (WSL 安装 Docker,不是 Docker 桌面)
How to expose Docker TCP socket on WSL2? (WSL-installed Docker, not Docker Desktop)
我想通过 PyCharm 连接到 WSL2 中的 Docker TCP 套接字 运行。我似乎无法公开套接字,我想可能是因为 WSL2 (systemctl) 中对 docker-daemon 的控制有限?我无法使用 Docker Desktop,因为我需要 GPU 支持 (Windows Dev Channel + nvidia-docker)。我尝试了以下方法:
导出DOCKER_HOST=tcp://0.0.0.0:2375
$ export DOCKER_HOST=tcp://0.0.0.0:2375
$ sudo service docker restart
$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR
default * Current DOCKER_HOST based configuration tcp://0.0.0.0:2375 swarm
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.
$ curl --unix-socket /var/run/docker.sock http:/localhost/version
{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.11","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"2020-06-01T09:10:54.000000000+00:00","Experimental":"false","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","KernelVersion":"4.19.121-microsoft-standard","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.11","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","Os":"linux","Arch":"amd64","KernelVersion":"4.19.121-microsoft-standard","BuildTime":"2020-06-01T09:10:54.000000000+00:00"}
$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused
最后一条命令我希望给出类似 {"Version":"17.05.0-ce","ApiVersion":"...} 的结果,但连接被拒绝。实际上,如果我尝试通过 Windows 主机 Pycharm 连接,它会拒绝连接。我也看到很多教程/SO 帖子说不要使用这种 DOCKER_HOST 方法,但我不确定为什么。
/lib/systemd/system/docker.服务 > ExecStart
根据 , serverfault, ivankrizsan, I edited /lib/systemd/system/docker.service with ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375. But when I try systemctl daemon-reload it errors; WSL2 doesn't support systemctl commands (WSL/457).
$ sudo systemctl daemon-reload
System has not been booted with systemd as init system (PID 1). Can't operate.
我还尝试重新启动 WSL2(Powershell wsl --shutdown,重新打开 WSL2),以防 docker-daemon 会捡起那些零钱,但没有雪茄。
$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused
/etc/default/docker > DOCKER_OPTS
根据 ,我用 DOCKER_OPTS="-H unix:// -H tcp://0.0.0.0:2375" 编辑了 /etc/default/docker,然后 sudo service docker restart。相同的连接被拒绝错误。
Quick-Fix(不安全)
来自Gist
1。 /etc/docker/daemon.json
{"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}
2。 sudo service docker restart
Long-Fix (TLS)
TLS 支持:more detailed serverfault, step-by-step blog post。如果您要在服务器上设置 Docker,我建议您关注博客 post。对我来说,我只想要 WSL2 中的 Docker,Windows (PyCharm) 可访问的套接字,以及 TLS 安全。所以我的修改使用 ~/.docker & localhost(而不是根文件夹和 FQDN)。这是我的步骤:
1。 /etc/docker/daemon.json
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tlscacert": "/home/lefnire/.docker/certs/ca.pem",
"tlscert": "/home/lefnire/.docker/certs/server-cert.pem",
"tlskey": "/home/lefnire/.docker/certs/server-key.pem",
"tlsverify": true
请注意,我使用的是 ~/.docker/certs 而不是 /etc/docker/certs。我遇到了 PyCharm 需要访问“证书文件夹”的权限障碍,即使有 chmod -v 0444 x 次尝试。
2。证书
$ mkdir ~/.docker/certs
$ cd ~/.docker/certs
$ openssl genrsa -aes256 -out ca-key.pem 4096 # enter passphrase
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem # enter localhost at FQDN step
$ openssl genrsa -out server-key.pem 4096
$ openssl req -subj "/CN=localhost" -sha256 -new -key server-key.pem -out server.csr
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
$ echo subjectAltName = DNS:localhost,IP:127.0.0.1 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
$ openssl genrsa -out key.pem 4096
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth > extfile-client.cnf
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
忽略 openssl RAND 错误(或fix it)
3。 sudo service docker restart
4。 PyCharm(可选)
- 文件 > 设置 > 构建、执行、部署 > Docker
- 添加 Docker(或单击现有)> [x] TCP 套接字
- 引擎 API URL:
https://localhost:2376
- 证书文件夹:
\wsl$\Ubuntu-18.04\home\lefnire\.docker\certs
- 文件 > 设置 > 项目:[my-proj] > Python 解释器
- 下拉菜单 > 显示全部... > 添加 > Docker
就我而言,问题是
-H fd://
修复
- 检查日志。
tail -f /var/log/docker.log
无法加载侦听器:通过套接字激活未找到套接字:确保服务已由 systemd 启动
- 编辑文件
/lib/systemd/system/docker.service,将fd://替换为unix://
我想通过 PyCharm 连接到 WSL2 中的 Docker TCP 套接字 运行。我似乎无法公开套接字,我想可能是因为 WSL2 (systemctl) 中对 docker-daemon 的控制有限?我无法使用 Docker Desktop,因为我需要 GPU 支持 (Windows Dev Channel + nvidia-docker)。我尝试了以下方法:
导出DOCKER_HOST=tcp://0.0.0.0:2375
$ export DOCKER_HOST=tcp://0.0.0.0:2375
$ sudo service docker restart
$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR
default * Current DOCKER_HOST based configuration tcp://0.0.0.0:2375 swarm
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.
$ curl --unix-socket /var/run/docker.sock http:/localhost/version
{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.11","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"2020-06-01T09:10:54.000000000+00:00","Experimental":"false","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","KernelVersion":"4.19.121-microsoft-standard","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.11","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","Os":"linux","Arch":"amd64","KernelVersion":"4.19.121-microsoft-standard","BuildTime":"2020-06-01T09:10:54.000000000+00:00"}
$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused
最后一条命令我希望给出类似 {"Version":"17.05.0-ce","ApiVersion":"...} 的结果,但连接被拒绝。实际上,如果我尝试通过 Windows 主机 Pycharm 连接,它会拒绝连接。我也看到很多教程/SO 帖子说不要使用这种 DOCKER_HOST 方法,但我不确定为什么。
/lib/systemd/system/docker.服务 > ExecStart
根据 /lib/systemd/system/docker.service with ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375. But when I try systemctl daemon-reload it errors; WSL2 doesn't support systemctl commands (WSL/457).
$ sudo systemctl daemon-reload
System has not been booted with systemd as init system (PID 1). Can't operate.
我还尝试重新启动 WSL2(Powershell wsl --shutdown,重新打开 WSL2),以防 docker-daemon 会捡起那些零钱,但没有雪茄。
$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused
/etc/default/docker > DOCKER_OPTS
根据 DOCKER_OPTS="-H unix:// -H tcp://0.0.0.0:2375" 编辑了 /etc/default/docker,然后 sudo service docker restart。相同的连接被拒绝错误。
Quick-Fix(不安全)
来自Gist
1。 /etc/docker/daemon.json
{"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}
2。 sudo service docker restart
Long-Fix (TLS)
TLS 支持:more detailed serverfault, step-by-step blog post。如果您要在服务器上设置 Docker,我建议您关注博客 post。对我来说,我只想要 WSL2 中的 Docker,Windows (PyCharm) 可访问的套接字,以及 TLS 安全。所以我的修改使用 ~/.docker & localhost(而不是根文件夹和 FQDN)。这是我的步骤:
1。 /etc/docker/daemon.json
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tlscacert": "/home/lefnire/.docker/certs/ca.pem",
"tlscert": "/home/lefnire/.docker/certs/server-cert.pem",
"tlskey": "/home/lefnire/.docker/certs/server-key.pem",
"tlsverify": true
请注意,我使用的是 ~/.docker/certs 而不是 /etc/docker/certs。我遇到了 PyCharm 需要访问“证书文件夹”的权限障碍,即使有 chmod -v 0444 x 次尝试。
2。证书
$ mkdir ~/.docker/certs
$ cd ~/.docker/certs
$ openssl genrsa -aes256 -out ca-key.pem 4096 # enter passphrase
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem # enter localhost at FQDN step
$ openssl genrsa -out server-key.pem 4096
$ openssl req -subj "/CN=localhost" -sha256 -new -key server-key.pem -out server.csr
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
$ echo subjectAltName = DNS:localhost,IP:127.0.0.1 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
$ openssl genrsa -out key.pem 4096
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth > extfile-client.cnf
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
忽略 openssl RAND 错误(或fix it)
3。 sudo service docker restart
4。 PyCharm(可选)
- 文件 > 设置 > 构建、执行、部署 > Docker
- 添加 Docker(或单击现有)> [x] TCP 套接字
- 引擎 API URL:
https://localhost:2376 - 证书文件夹:
\wsl$\Ubuntu-18.04\home\lefnire\.docker\certs
- 文件 > 设置 > 项目:[my-proj] > Python 解释器
- 下拉菜单 > 显示全部... > 添加 > Docker
就我而言,问题是
修复-H fd://
- 检查日志。
tail -f /var/log/docker.log
无法加载侦听器:通过套接字激活未找到套接字:确保服务已由 systemd 启动
- 编辑文件
/lib/systemd/system/docker.service,将fd://替换为unix://