
How to expose Docker TCP socket on WSL2? (WSL-installed Docker, not Docker Desktop)

I want to connect to Docker TCP socket running in WSL2 via PyCharm. I can't seem to expose the socket, I think possibly because there's limited control of docker-daemon within WSL2 (systemctl)? I can't use Docker Desktop because I need GPU support (Windows Dev Channel + nvidia-docker). I've tried the following:

export DOCKER_HOST=tcp://

$ export DOCKER_HOST=tcp://
$ sudo service docker restart
$ docker context ls
default *           Current DOCKER_HOST based configuration   tcp://                         swarm
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.
$ curl --unix-socket /var/run/docker.sock http:/localhost/version
{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.11","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"2020-06-01T09:10:54.000000000+00:00","Experimental":"false","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","KernelVersion":"4.19.121-microsoft-standard","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.11","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"42e35e61f3","GoVersion":"go1.13.10","Os":"linux","Arch":"amd64","KernelVersion":"4.19.121-microsoft-standard","BuildTime":"2020-06-01T09:10:54.000000000+00:00"}
$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused

The final command I expect to give a result like {"Version":"17.05.0-ce","ApiVersion":"...} but connection refused. Indeed, if I try to connect via Windows host Pycharm it refuses connection. I also see many tutorials / SO posts saying not to use this DOCKER_HOST approach, but I'm not sure why.

/lib/systemd/system/docker.service > ExecStart

Per stackoverflow, serverfault, ivankrizsan, I edited /lib/systemd/system/docker.service with ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp:// But when I try systemctl daemon-reload it errors; WSL2 doesn't support systemctl commands (WSL/457).

$ sudo systemctl daemon-reload
System has not been booted with systemd as init system (PID 1). Can't operate.

I also tried restarting WSL2 (Powershell wsl --shutdown, re-open WSL2) in case docker-daemon will pick those change up, but no cigar.

$ curl http://localhost:2375/version
curl: (7) Failed to connect to localhost port 2375: Connection refused

/etc/default/docker > DOCKER_OPTS

Per stackoverflow, I edited /etc/default/docker with DOCKER_OPTS="-H unix:// -H tcp://" then sudo service docker restart. Same connection refused errors.


  • Quick-Fix (insecure)

    From Gist

    1. /etc/docker/daemon.json

    {"hosts": ["tcp://", "unix:///var/run/docker.sock"]}

    2. sudo service docker restart

    Long-Fix (TLS)

    TLS support: more detailed serverfault, step-by-step blog post. If you're setting up Docker on server, I recommend following the blog post. For me I just wanted Docker in WSL2, socket reachable by Windows (PyCharm), and TLS secure. So my modifications use ~/.docker & localhost (rather than root folders & FQDN). Here are my steps:

    1. /etc/docker/daemon.json

    "hosts": ["unix:///var/run/docker.sock", "tcp://"],
    "tlscacert": "/home/lefnire/.docker/certs/ca.pem",
    "tlscert": "/home/lefnire/.docker/certs/server-cert.pem",
    "tlskey": "/home/lefnire/.docker/certs/server-key.pem",
    "tlsverify": true

    Note I'm using ~/.docker/certs instead of /etc/docker/certs. I hit permission snags with PyCharm needing access to "Certificates Folder", even with chmod -v 0444 x attempts.

    2. Certs

    $ mkdir ~/.docker/certs
    $ cd ~/.docker/certs
    $ openssl genrsa -aes256 -out ca-key.pem 4096  # enter passphrase
    $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem  # enter localhost at FQDN step
    $ openssl genrsa -out server-key.pem 4096
    $ openssl req -subj "/CN=localhost" -sha256 -new -key server-key.pem -out server.csr
    $ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
    $ echo subjectAltName = DNS:localhost,IP: >> extfile.cnf
    $ echo extendedKeyUsage = serverAuth >> extfile.cnf
    $ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
    $ openssl genrsa -out key.pem 4096
    $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
    $ echo extendedKeyUsage = clientAuth > extfile-client.cnf
    $ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

    Ignore openssl RAND errors (or fix it)

    3. sudo service docker restart

    4. PyCharm (optional)

    1. File > Settings > Build, Execution, Deployment > Docker
      1. Add Docker (or click existing) > [x] TCP Socket
      2. Engine API URL: https://localhost:2376
      3. Certificates Folder: \\wsl$\Ubuntu-18.04\home\lefnire\.docker\certs
    2. File > Settings > Project: [my-proj] > Python Interpreter
      1. Dropdown > Show All... > Add > Docker