Enable Docker Remote API on Docker Machine on Mac OS X

Docker daemon provides a Remote REST API. This API is used by the client to communicate with the engine. This API can be also be invoked by other tools, such as curl or Chrome Postman REST Client.

If you are creating Docker daemons using Docker Machine on OSX Mavericks, then getting this API to work is a bit tricky. This blog will explain how to enable Docker Remote API on Docker Machines created on Mac OS X.

Connecting to the secure Docker port using curl gives the command as:

$ curl https://$HOST:2376/images/json \
  --cert ~/.docker/cert.pem \
  --key ~/.docker/key.pem \
  --cacert ~/.docker/ca.pem

Couple of issues with this command:

• This command does not even work for Docker Machine since the certificates for each Machine are stored in .docker/machine/machines/<machine-name> directory.
• Even if this command is modified to match that path:
  

  curl https://192.168.99.100:2376/images/json --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem

  It still gives the following error:
  

  curl: (58) SSL: Can't load the certificate "/Users/arungupta/.docker/machine/machines/couchbase/cert.pem" and its private key: OSStatus -25299

  The culprit for this is an updated curl utility for OSX Mavericks users. In summary, the new version of CURL uses Apple’s Secure Transport API instead of the OpenSSL API. This means the certificates need to be in P12 format.

Let's fix this!

• Go to the directory where certificates for your Machine are stored. In my case, this is .docker/machine/machines/couchbase directory.
• Generate *.p12 format for the certificate:
  

  openssl pkcs12 -export \
  -inkey key.pem \
  -in cert.pem \
  -CAfile ca.pem \
  -chain \
  -name client-side \
  -out cert.p12 \
  -password pass:mypass

  More details here.
• Now invoke the REST API as:
  

  curl https://192.168.99.100:2376/images/json --cert $DOCKER_CERT_PATH/cert.p12 --pass mypass --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem

  
  Notice, --cert now points to the generated p12 certificate and certificate password is specified using --pass. This will return the result as:

  [{"Id":"sha256:d38beda529d3274636d6cb1c9000afe4f00fbdcfa544140d6cc0f5d7f5b8434a","ParentId":"","RepoTags":["arungupta/couchbase:latest"],"RepoDigests":null,"Created":1450330075,"Size":374824677,"VirtualSize":374824677,"Labels":{}}]

  OK, now that makes sense!
• Let's try to start Couchbase server as:

  ~ > docker run -d -p 8091-8093:8091-8093 -p 11210:11210 arungupta/couchbase
  42d1414883affd0fbb272cb1378c2f6b5118acf3ed5cb60cbecdc42f95602e3e

  And invoke another REST API to view more details about this container:

  ~ > curl https://192.168.99.100:2376/containers/json --cert $DOCKER_CERT_PATH/cert2.p12 --pass mypass --key $DOCKER_CERT_PATH/key.pem --cacert $DOCKER_CERT_PATH/ca.pem
  [{"Id":"42d1414883affd0fbb272cb1378c2f6b5118acf3ed5cb60cbecdc42f95602e3e","Names":["/admiring_pike"],"Image":"arungupta/couchbase","ImageID":"sha256:d38beda529d3274636d6cb1c9000afe4f00fbdcfa544140d6cc0f5d7f5b8434a","Command":"/entrypoint.sh /opt/couchbase/configure-cluster.sh","Created":1454850194,"Ports":[{"IP":"0.0.0.0","PrivatePort":8092,"PublicPort":8092,"Type":"tcp"},{"PrivatePort":11207,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":11210,"PublicPort":11210,"Type":"tcp"},{"PrivatePort":18092,"Type":"tcp"},{"PrivatePort":18091,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":8093,"PublicPort":8093,"Type":"tcp"},{"IP":"0.0.0.0","PrivatePort":8091,"PublicPort":8091,"Type":"tcp"},{"PrivatePort":11211,"Type":"tcp"}],"Labels":{},"Status":"Up 2 seconds","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"","EndpointID":"6feaf4c1c70feaf0ba240ce55fb58ce83ebb84c8098bef9171998e84f607fa0b","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02"}}}}]

Read through the complete API and go crazy now!