Docker Tip

I was working on setting up a docker container today (and yesterday) (and the day before).

The orginization I’m working for happens to use the 172.17.0.0/16 subnet for the IM chat server. This does not interact well with docker’s defaults of course. So to fix it, per the documentation, i set --bip=192.168.11.0/24 in my /etc/default/docker file.

I also had to add an insecure registry to the system, so I threw a --insecure-registry host:5000 option as well on the DOCKER_OPTS.

All done.

Nope. The registry won’t take. Every time I try to use docker pull or docker-compose up on a registry image, it keeps failing, complaining about v2 ping attempt failed with error: tls: oversized record received with length 20527 (that’s for the search engines). This makes no sense to me, even though I hammer at it for a few hours.

I try --insecure-registry http://host:5000. Nope.

I try --insecure-registry=host:5000. Nope.

I try --insecure-registry=http://host:5000. Nope.

Just a note, all these settings are playing well each time I restart docker. I get no startup errors at all. So I check ps -ef | grep docker and lo

root      4488     1  6 15:48 ?        00:03:53 /usr/bin/docker daemon -H fd://

Where are my options?

Turns out Docker.com is shipping an incorrect service file for Ubuntu systemd flavors. To fix, just update your service file (located at /etc/systemd/system/multi-user.target.wants/docker.service on my system) like so:

[Service]
+EnvironmentFile=-/etc/default/docker
Type=notify
-ExecStart=/usr/bin/docker daemon -H fd://
+ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
MountFlags=slave

Don’t forget to systemctl daemon-reload; systemctl restart docker

Once that’s in place, I start finding all my incorrect settings.

You should use --bip=<gateway ip>/mask or in my case, --bip=192.168.11.1/24. This is stated in the docs on docker.com in paragraph 4 where it says “supply a specific IP address and netmask for the docker0 bridge” but that isn’t exactly obvious at first read-through.

You should also (per docker daemon --help) use the --insecure-registry=hostname:port form to set your custom registry.

For you time travellers, here’s my version

$ docker version
Client:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:20:08 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:20:08 UTC 2015
 OS/Arch:      linux/amd64