Enable Docker Remote API on Docker Machine on Mac OS X
Docker daemon provides a Remote REST API. This API is used by the client to communicate with the engine. This API can be also be invoked by other tools, such as curl or Chrome Postman REST Client.
If you are creating Docker daemons using Docker Machine on OSX Mavericks, then getting this API to work is a bit tricky. This blog will explain how to enable Docker Remote API on Docker Machines created on Mac OS X.
Connecting to the secure Docker port using curl gives the command as:
$ curl https://$HOST:2376/images/json \
--cert ~/.docker/cert.pem \
--key ~/.docker/key.pem \
--cacert ~/.docker/ca.pem
Couple of issues with this command:
- This command does not even work for Docker Machine since the certificates for each Machine are stored in
.docker/machine/machines/<machine-name>
directory. - Even if this command is modified to match that path:
It still gives the following error:curl https://192.168.99.100:2376/images/json --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem
The culprit for this is an updated curl utility for OSX Mavericks users. In summary, the new version of CURL uses Apple’s Secure Transport API instead of the OpenSSL API. This means the certificates need to be in P12 format.curl: (58) SSL: Can't load the certificate "/Users/arungupta/.docker/machine/machines/couchbase/cert.pem" and its private key: OSStatus -25299
Let's fix this!
- Go to the directory where certificates for your Machine are stored. In my case, this is
.docker/machine/machines/couchbase
directory. - Generate
*.p12
format for the certificate:
More details here.openssl pkcs12 -export \ -inkey key.pem \ -in cert.pem \ -CAfile ca.pem \ -chain \ -name client-side \ -out cert.p12 \ -password pass:mypass
- Now invoke the REST API as:
curl https://192.168.99.100:2376/images/json --cert $DOCKER_CERT_PATH/cert.p12 --pass mypass --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem
Notice,--cert
now points to the generated p12 certificate and certificate password is specified using--pass
. This will return the result as:
OK, now that makes sense![{"Id":"sha256:d38beda529d3274636d6cb1c9000afe4f00fbdcfa544140d6cc0f5d7f5b8434a","ParentId":"","RepoTags":["arungupta/couchbase:latest"],"RepoDigests":null,"Created":1450330075,"Size":374824677,"VirtualSize":374824677,"Labels":{}}]
- Let's try to start Couchbase server as:
And invoke another REST API to view more details about this container:~ > docker run -d -p 8091-8093:8091-8093 -p 11210:11210 arungupta/couchbase 42d1414883affd0fbb272cb1378c2f6b5118acf3ed5cb60cbecdc42f95602e3e
~ > curl https://192.168.99.100:2376/containers/json --cert $DOCKER_CERT_PATH/cert2.p12 --pass mypass --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem [{"Id":"42d1414883affd0fbb272cb1378c2f6b5118acf3ed5cb60cbecdc42f95602e3e","Names":["/admiring_pike"],"Image":"arungupta/couchbase","ImageID":"sha256:d38beda529d3274636d6cb1c9000afe4f00fbdcfa544140d6cc0f5d7f5b8434a","Command":"/entrypoint.sh /opt/couchbase/configure-cluster.sh","Created":1454850194,"Ports":[{"IP":"0.0.0.0","PrivatePort":8092,"PublicPort":8092,"Type":"tcp"},{"PrivatePort":11207,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":11210,"PublicPort":11210,"Type":"tcp"},{"PrivatePort":18092,"Type":"tcp"},{"PrivatePort":18091,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":8093,"PublicPort":8093,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":8091,"PublicPort":8091,"Type":"tcp"},{"PrivatePort":11211,"Type":"tcp"}],"Labels":{},"Status":"Up 2 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"","EndpointID":"6feaf4c1c70feaf0ba240ce55fb58ce83ebb84c8098bef9171998e84f607fa0b","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02"}}}}]
Read through the complete API and go crazy now!