FATA[0000] The Docker port is externally accessible on this node, accepting connections on port 2375. This node is insecure. Learn more at https://docker.com/ddc-18

[AJNOURI]

When trying to install UCP on dind (docker-in-docker cluster):

docker container run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.4 install --host-address 172.17.0.10 --interactive

INFO[0000] Verifying your system is compatible with UCP 2.2.4 (168ec746e) INFO[0000] Your engine version 17.12.1-ce, build 7390fc6 (3.16.0-4-amd64) is compatible Admin Username: admin Admin Password: Confirm Admin Password: INFO[0013] All required images are present
WARN[0013] None of the hostnames we'll be using in the UCP certificates [124915a288ea 127.0.0.1 172.18.0.1 172.17.0.10] contain a domain component. Your generated certs may fail TLS validation unless you only use one of these shortnames or IPs to connect. You can use the --san flag to add more aliases

You may enter additional aliases (SANs) now or press enter to proceed with the above list. Additional aliases: FATA[0000] The Docker port is externally accessible on this node, accepting connections on port 2375. This node is insecure. Learn more at https://docker.com/ddc-18 / #

[AJNOURI]

The links in the error message sends to: https://success.docker.com/article/the-docker-port-is-externally-accessible-on-this-node

But this port needs to be open on the container for the outer docker could run docker commands on the container.

In the Dockerfile used to build DIND image the port exposed: https://github.com/docker-library/docker/blob/1ad458b04229d155bbec6bbd4b5142497aa8126a/18.03/dind/Dockerfile

As a workaroud to set iptables rule to drop incoming traffic to port 2375"

iptables -I INPUT -p tcp --dport 2375 -j DROP And that worked

/ # docker container run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:2.2.4 install --host-address 192.168.123.2 --interactive

INFO[0000] Verifying your system is compatible with UCP 2.2.4 (168ec746e) INFO[0000] Your engine version 17.12.1-ce, build 7390fc6 (3.16.0-4-amd64) is compatible Admin Username: admin Admin Password: Confirm Admin Password: INFO[0010] All required images are present
WARN[0010] None of the hostnames we'll be using in the UCP certificates [smanage1 127.0.0.1 172.17.0.1 192.168.123.2] contain a domain component. Your generated certs may fail TLS validation unless you only use one of these shortnames or IPs to connect. You can use the --san flag to add more aliases

You may enter additional aliases (SANs) now or press enter to proceed with the above list. Additional aliases: WARN[0006] Unauthorized users may be able to access this node since it's listening on port 2375. Learn more at https://docker.com/ddc-18 WARN[0006] Installation will continue in 10 seconds...
INFO[0039] Establishing mutual Cluster Root CA with Swarm INFO[0042] Installing UCP with host address 192.168.123.2 - If this is incorrect, please specify an alternative address with the '--host-address' flag INFO[0042] Generating UCP Client Root CA
INFO[0042] Deploying UCP Service
INFO[0205] Installation completed on smanage1 (node djr0w2ym29sy7me2n1gmgg4jq) INFO[0209] Installation completed on sworker2 (node lonipfa138yheik09kx9uzvti) INFO[0215] Installation completed on sworker1 (node lfp5kjwj20jjldonjf0o0baff) INFO[0215] UCP Instance ID: 3toyux17tbb7pitlnzkr7pd1k
INFO[0215] UCP Server SSL: SHA-256 Fingerprint=C9:7C:FA:D9:64:EE:08:C1:5F:4C:48:95:01:EF:BF:36:FE:33:31:9F:62:69:75:5A:63:70:B1:57:61:66:64:34 INFO[0215] Login to UCP at https://192.168.123.2:443
INFO[0215] Username: admin
INFO[0215] Password: (your admin password)
/ #

[AJNOURI]

Besides, I could install DTR on one of the workers:

/ # docker run -it --rm docker/dtr install --ucp-node sworker1 --ucp-username admin --ucp-url

https://192.168.123.2 --ucp-insecure-tls Unable to find image 'docker/dtr:latest' locally latest: Pulling from docker/dtr 605ce1bd3f31: Pull complete 3229f5297e59: Pull complete 311610a93755: Pull complete 33fb3c0b5eca: Pull complete Digest: sha256:713cd5692136d203d10a94084dca13c1918f3ef25543e3908d9358dad83e2aac Status: Downloaded newer image for docker/dtr:latest INFO[0000] Beginning Docker Trusted Registry installation ucp-password: INFO[0009] Validating UCP cert
INFO[0009] Connecting to UCP
INFO[0010] The UCP cluster contains the following nodes without port conflicts: sworker1, sworker2 INFO[0011] Searching containers in UCP for DTR replicas INFO[0011] Searching containers in UCP for DTR replicas INFO[0011] verifying [80 443] ports on sworker1
INFO[0019] starting phase 2
INFO[0000] Validating UCP cert
INFO[0000] Connecting to UCP
INFO[0001] Verifying your system is compatible with DTR INFO[0001] Checking if the node is okay to install on
INFO[0002] Creating network: dtr-ol
INFO[0002] Connecting to network: dtr-ol
INFO[0002] Waiting for phase2 container to be known to the Docker daemon INFO[0004] Starting UCP connectivity test
INFO[0004] UCP connectivity test passed
INFO[0004] Setting up replica volumes...
INFO[0008] Creating initial CA certificates
INFO[0008] Bootstrapping rethink...
INFO[0008] Creating dtr-rethinkdb-2fba312f04e1...
INFO[0025] Establishing connection with Rethinkdb
INFO[0026] Waiting for database dtr2 to exist
INFO[0028] Establishing connection with Rethinkdb
INFO[0036] Generated TLS certificate. dnsNames=[.com ..com example.com .dtr ..dtr] domains=[.com ..com 172.17.0.1 example.com .dtr ..dtr] ipAddresses=[172.17.0.1] INFO[0041] License config not copied from UCP because UCP has no valid license. INFO[0041] Migrating db...
INFO[0000] Establishing connection with Rethinkdb
INFO[0000] Migrating database schema fromVersion=0 toVersion=8 INFO[0055] Waiting for database notaryserver to exist
INFO[0072] Waiting for database notarysigner to exist
INFO[0075] Waiting for database jobrunner to exist
INFO[0099] Migrated database from version 0 to 8
INFO[0141] Starting all containers...
INFO[0141] Getting container configuration and starting containers... INFO[0142] Recreating dtr-rethinkdb-2fba312f04e1...
INFO[0153] Creating dtr-registry-2fba312f04e1...
INFO[0167] Creating dtr-garant-2fba312f04e1...
INFO[0180] Creating dtr-api-2fba312f04e1...
INFO[0207] Creating dtr-notary-server-2fba312f04e1...
INFO[0221] Recreating dtr-nginx-2fba312f04e1...
INFO[0236] Creating dtr-jobrunner-2fba312f04e1...
INFO[0265] Creating dtr-notary-signer-2fba312f04e1...
INFO[0292] Creating dtr-scanningstore-2fba312f04e1...
INFO[0309] Trying to get the kv store connection back after reconfigure INFO[0309] Establishing connection with Rethinkdb
INFO[0313] Verifying auth settings...
INFO[0313] Successfully registered dtr with UCP
INFO[0314] Establishing connection with Rethinkdb
INFO[0322] Background tag migration started
INFO[0322] Installation is complete
INFO[0322] Replica ID is set to: 2fba312f04e1
INFO[0322] You can use flag '--existing-replica-id 2fba312f04e1' when joining other replicas to your Docker Trusted Registry Cluster / #