-
Notifications
You must be signed in to change notification settings - Fork 711
-
I have a vz type VM running Ubuntu on MacOS host. I have docker installed in that VM, and trying to get docker daemon's tcp port 2375 exposed on the host. I'd done limactl edit <vm-name> to edit the YAML configuration to add the following 2 lines under portForwards:
- guestPort: 2375
hostPort: 2375
The overall section looks like this:
portForwards:
- guestSocket: "/run/user/{{.UID}}/docker.sock"
hostSocket: "{{.Dir}}/sock/docker.sock"
- guestPort: 2375
hostPort: 2375
However, when I start the VM, I do not see any indication of the port 2375 forwarding to be happening, although I do see the unix socket forwarding message. What is it that I might be doing wrong ? The following is what I see when I start the VM:
% limactl start docker-vz
INFO[0000] Using the existing instance "docker-vz"
INFO[0000] Starting the instance "docker-vz" with VM driver "vz"
INFO[0000] [hostagent] hostagent socket created at /Users/bdutta/.lima/docker-vz/ha.sock
INFO[0000] [hostagent] Starting VZ (hint: to watch the boot progress, see "/Users/bdutta/.lima/docker-vz/serial*.log")
INFO[0000] SSH Local Port: 64679
INFO[0000] [hostagent] Waiting for the essential requirement 1 of 2: "ssh"
INFO[0000] [hostagent] [VZ] - vm state change: running
INFO[0009] [hostagent] Waiting for the essential requirement 1 of 2: "ssh"
INFO[0010] [hostagent] The essential requirement 1 of 2 is satisfied
INFO[0010] [hostagent] Waiting for the essential requirement 2 of 2: "user session is ready for ssh"
INFO[0010] [hostagent] The essential requirement 2 of 2 is satisfied
INFO[0010] [hostagent] Waiting for the optional requirement 1 of 1: "user probe 1/1"
INFO[0010] [hostagent] Forwarding "/run/user/502/docker.sock" (guest) to "/Users/bdutta/.lima/docker-vz/sock/docker.sock" (host)
INFO[0010] [hostagent] Guest agent is running
INFO[0010] [hostagent] The optional requirement 1 of 1 is satisfied
INFO[0010] [hostagent] Not forwarding TCP 127.0.0.54:53
INFO[0010] [hostagent] Waiting for the guest agent to be running
INFO[0010] [hostagent] Waiting for the final requirement 1 of 1: "boot scripts must have finished"
INFO[0010] [hostagent] Not forwarding TCP 127.0.0.53:53
INFO[0010] [hostagent] Not forwarding TCP [::]:22
INFO[0010] [hostagent] Not forwarding UDP 127.0.0.54:53
INFO[0010] [hostagent] Not forwarding UDP 127.0.0.53:53
INFO[0010] [hostagent] Not forwarding UDP 192.168.5.15:68
INFO[0010] [hostagent] The final requirement 1 of 1 is satisfied
INFO[0010] READY. Runlimactl shell docker-vzto open the shell.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 2 replies
-
All the TCP ports are already forwarded by default, so there is no need to add a single one specifically. Unless documenting or so.
There is no Docker port 2375 anymore, it was totally insecure and deprecated. Even the old port 2376 is now replaced by ssh...
Anyway, it doesn't show any messages unless something is actually listening on that port:
INFO[0030] [hostagent] Forwarding TCP from [::]:2375 to 127.0.0.1:2375
[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/go/attack-surface/
In future versions this will be a hard failure preventing the daemon from starting!
Learn more at: https://docs.docker.com/go/api-security
But you don't need to do that, when already forwarding a unix socket. If you need TCP, use 2376 with TLS and a certificate:
https://docs.docker.com/engine/security/protect-access/ show all the little details needed.
Otherwise, just use unix:///Users/bdutta/.lima/docker-vz/sock/docker.sock
PS. Did you know there is a template://docker already?
It already sets up everything for you, for docker.lima
Beta Was this translation helpful? Give feedback.
All reactions
-
Thank you. Clearly I have a lot to catch up on from latest docs. I've to admit that I let ChatGPT lead me astray by almost vibecoding my way into this. While I setup the lima VMs with docker daemon a month or so back, but I believe I did it using the template://docker itself, which, I thought should've setup everything. In fact, my rig was working almost fine, except that I recently started using dev-containers in VScode (running on MacOS host), and creation of new dev-containers kept failing. Again, ChatGPT seems to have misunderstood or hallucinated by guiding me to setup the tcp communication between MacOS's host docker CLI and docker daemon on the lima VM.
Beta Was this translation helpful? Give feedback.
All reactions
-
Sorry one question, which wasn't fully clear on reading documentation. Are all TCP ports automatically forwarded with the default networking (visible as eth0 in VM) or vzNAT networking (visible as lima0 in the VM) ?
Beta Was this translation helpful? Give feedback.