Updated April 10, 2022, with current Alpine instructions, Debian/Ubuntu package signing tweaks (no more apt-key), and better guidance for handling iptables in Debian. A little more suggestion about TCP access, as well. And further emphasis on the optional nature of the
/mnt/wsl/shared-docker
socket directory.
Windows Subsystem for Linux 2 sports an actual Linux kernel, supporting real Linux containers and Docker. Docker works on WSL 2, and without requiring the robust but heavy Docker Desktop if that is undesirable. However, due to both WSL and Docker complexities, a little tender loving care is required to get Docker up and running. This article attempts to explore such a process and options along the way.
Contrary to what the length of this article might suggest, getting Docker working on WSL is fairly simple. In a nutshell:
- Instead of using an init system such as systemd to launch the Docker daemon, launch it by calling
dockerd
manually. - If sharing the Docker daemon between WSL instances is desired, configure it to use a socket stored in the shared
/mnt/wsl
directory. - If sharing and privileged access without sudo are desired, configure the
docker
group to have the same group ID across all WSL instances - For simplicity, rather than launch a Windows-based Docker client, launch
docker
inside WSL.
Plenty more nuance and decisions below, of course. See details regarding the companion Github repo by scrolling to the bottom.
Are you sure you don't want Docker Desktop?
Before proceeding, let's note that Docker Desktop is amazing. If you want Docker to work on Windows and WSL 2, installing Docker Desktop is most likely the way to go. With Docker Desktop's WSL 2 backend, Docker integrates with Windows in a fairly elegant way, and the docker client can be launched from either Powershell or Linux. Reading about what goes on under the hood is an entertaining and informative endeavor, as well. Very clever.
If you came here looking how to get Docker running easily, or if you want Windows containers (still a rarity) out of the box, then Docker Desktop is your friend, and you can go install it now.
But if you, like me, feel that all the added complexity of Docker Desktop is unnecessary, you don't need Windows containers, or you are simply tired of that whale in the system tray taking... so... long... then perhaps you want to run the docker daemon (dockerd
) in the WSL distro of your choice and be happy. You are at the right place.
Note that Docker Desktop is only free individuals or for small companies. If you are using it for work, and your company exceeds a certain size or revenue, then consider paying for a subscription. Of course, if you use Docker without Docker Desktop, as detailed in this article, then this does not apply. See more details about the Docker subscription model here.
Have you tried Podman?
Before we mosey along, though: are you aware of Podman? Podman is daemonless (no background service needed), modern (cgroups v2 out of the box), supports rootless, and serves as a drop-in replacement for Docker. Without needing to worry about sockets and ports, a lot of headaches go away.
I have written about getting Podman to work on WSL 2. Feel free to try it out. You may never look back. And, yes, VSCode can work with podman.
And yet... Sometimes, one just needs Docker to work. Maybe some tooling you use can't handle Podman, or you just want to put WSL through its paces. If so, read on.
Make sure that WSL is version 2
Please note that these steps require WSL 2 (not version 1). WSL 2 uses an actual Linux kernel that allows Linux containers. WSL 1 was genius with running Linux on the Windows kernel, but of course lacked some of the features, such as containers. Microsoft offers a more detailed comparison in the docs.
You will most certainly need WSL 2 to run the Docker service.
Does the command wsl --set-default-version 2
work? This will set the default version to WSL 2, or fail if you are still on the first version.
Microsoft's has step-by-step instructions on how to upgrade to WSL 2.
To run WSL 2, Windows version 1903 or higher is needed, with Build 18362 or higher. To tell what version you are running, run winver
in Powershell or CMD, or just type Win key and R (⊞-r) to open the Run dialog and then enter winver
. Hopefully you will see something like "Version 21H2. OS Build 19044.1586"
Install a Linux distro
If you do not yet have a running WSL instance with a distro of your choice, the next step is to pick one from the Microsoft Store. If you dislike the Windows Store, there are other options.
Custom installations are also a great option with WSL 2. For instance, install and configure Fedora, or any other distro for which you can obtain a rootfs in tar format and then wsl --import rootfs.tar
.
This guide includes instructions for launching dockerd in Debian, Ubuntu, Alpine, and Fedora. If you think there is another obvious WSL distro that should be considered, feel free to let me know in the comments.
Configure a non-root user
Once you have installed the distro of your choice, launch it and set up a non-root user if you have not already. Debian and Ubuntu will configure this automatically at first launch, as should Alpine if you installed it from the Store. If the whoami
command returnes "root", then you will want to add a non-root user. For Alpine or Fedora, use adduser myusername
to create a new user. On Alpine, this should prompt for the new password. On Fedora, you will additionally need to passwd myusername
and enter the password you want to use. (If your Fedora does not have passwd
, then you will need to first dnf install passwd cracklib-dicts
).
On later versions of Alpine from the Microsoft Store, while a non-root user is created as part of setup, this user is initially password-less. You can double check on any distro with:
cat /etc/shadow | grep myusername | cut -d: -f2
(If you are not root, you may need to su
first).
If the result is "!" then that user has no password set. If the result is a random hash string, then you are good. If you need to set a password, you can use passwd myusername
(of course, in all of the above, use your username in place of "myusername."
Configure admin (sudo) access for the non-root user
If you used Debian or Ubuntu from the Windows store and set up the default user on first launch, then sudo should already be configured on behalf of the default user. You can skip this step, and proceed to updating packages and testing network connectivity, below.
When signed in as the user you set up (try su myusername
if you are still root), can you sudo -v
without an error?
If not, first make sure that sudo is installed. On Alpine, that's apk add sudo
and on Fedora, dnf install sudo
. If this fails due to network connectivity, see below. You can follow the directions there in order to correct DNS, but of course eliminate any occurrence of sudo
in those commands, as you do not have it yet, and you should still be root anyway.
Is your user a "sudoer"? Try the following to see if they are part of the sudo
or wheel
group:
grep -E 'sudo|wheel' /etc/group
On distros that have a sudo
group, such as Ubuntu and Debian, you should see something like sudo:x:27:myusername
and on distros that have a wheel
group, such as Fedora and Alpine, you should see something like wheel:27:myusername
.
If your username is missing from the group, take note of the group name (sudo
or wheel
) and add the user in question to that group:
- Alpine:
addgroup myusername wheel
- Fedora:
usermod -aG wheel myusername
- Probably not necessary, but on Ubuntu/Debian:
usermod -aG sudo myusername
Finally, as root, make sure that the admin group (whether sudo
or wheel
) is enabled for sudo:
grep -E '%sudo|%wheel' /etc/sudoers
If the line is there, but commented out with a #
, then run visudo
then make sure the line reads thus (use wheel
or sudo
as determined earlier):
%wheel ALL=(ALL) ALL
Then save.
Once these steps are complete, test again with:
su myusername
sudo -v
If you are prompted for the password, then all is well. If you instead received an error containing something like "Sorry, user myusername may not run sudo" then you may need to follow the steps again, from the beginning.
Set default user
If you obtained your Linux distro from the Store, you can likely skip this step, as the default user is already set up.
If, however, when you launch WSL, you are still root, then set your new user as the default.
Assuming you have Windows build 18980 or later: simply add a user section to /etc/wsl.conf
.
Something like this will work well if you do not already have that file, or a [user]
section in it:
printf "\n[user]\ndefault = myusername\n" | sudo tee -a /etc/wsl.conf
However, if on a version of Windows before build 18980, then you will instead need to edit the registry to set a default user. Before doing this, we will need two bits of information: the user id, and the name of the WSL distro. Chances are, you already know these. If not, you can obtain the user id with id -u myusername
and check your list of WSL distros with (in Powershell) wsl -l
Then, use the following command in Powershell, but use your WSL distro name in place of "Alpine" and use your user id in place of "1000":
Get-ItemProperty Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss\*\ DistributionName | Where-Object -Property DistributionName -eq Alpine | Set-ItemProperty -Name DefaultUid -Value 1000
Whichever method you use, test by logging out of WSL, and then log back in. Confirm that whoami
yields the correct username. Success.
Update/upgrade packages and test network connectivity
Let's make everything new and shiny with one of the following:
- Debian/Ubuntu:
sudo apt update && sudo apt upgrade
- Fedora:
sudo dnf upgrade
- Alpine:
sudo apk upgrade -U
Network issues?
Upgrading the packages also serves as a network test. For a variety of reasons, network connectivity issues can happen with WSL 2, and tweaking the DNS settings often resolves these problems in my experience. If the upgrade command succeeded, you can skip this section. But if the above commands fail to access the package servers, it may be something unique to your network, or your firewall or anti-malware software. I recommend the following:
echo -e "[network]\ngenerateResolvConf = false" | sudo tee -a /etc/wsl.conf
sudo unlink /etc/resolv.conf
echo nameserver 1.1.1.1 | sudo tee /etc/resolv.conf
The first line tells WSL to cease auto-configuring the /etc/resolv.conf
file. Then we remove/unlink the old file, and create a new one.
With this newly-configured DNS resolver (in this case, pointing directly to Cloudflare's DNS server) you can try upgrading packages again. Success? Excellent.
Prepare for Docker installation
Thankfully, there are official guides for installing Docker on various Linux distributions. I have based these instructions on those, with some tweaks learned from real world testing.
Remove residue
If this is not a fresh install, and you may have experimented with docker before, then first clear out any residual docker installs:
- Fedora:
sudo dnf remove moby-engine docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
- Debian/Ubuntu:
sudo apt remove docker docker-engine docker.io containerd runc
- Alpine (probably not necessary, but just in case):
sudo apk del docker-cli docker-ce docker-openrc docker-compose docker
Install dependencies
Then, install pre-requisites:
- Debian/Ubuntu:
sudo apt install --no-install-recommends apt-transport-https ca-certificates curl gnupg2
- Fedora:
sudo dnf install dnf-plugins-core
- Alpine: Nothing needed. Dependencies will be installed later, automatically.
Debian: switch to legacy iptables
Docker utilizes iptables to implement network isolation. For good reason, Debian uses the more modern nftables, but this means that Docker cannot automatically tweak the Linux firewall. Given this, you probably want to configure Debian to use the legacy iptables by default:
update-alternatives --config iptables
And select iptables-legacy.
If you are comfortable, instead, with nftables and want to configure nftables manually for Docker, then go for it. I suspect that most, however, will want to switch to iptables legacy.
Debian/Ubuntu package repository configuration
On Debian or Ubuntu, first temporarily set some OS-specific variables:
. /etc/os-release
Then, make sure that apt
will trust the repo:
curl -fsSL https://download.docker.com/linux/${ID}/gpg | sudo tee /etc/apt/trusted.gpg.d/docker.asc
ID
will be either "ubuntu" or "debian", as appropriate, depending on what is in /etc/os-release
.
Then add and update the repo information so that apt
will use it in the future:
echo "deb [arch=amd64] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update
Fedora package repository configuration
On Fedora, first add Docker's repo:
sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
Install Docker
Now we can install the official Docker Engine and client tools:
- Debian/Ubuntu:
sudo apt install docker-ce docker-ce-cli containerd.io
- Fedora:
sudo dnf install docker-ce docker-ce-cli containerd.io
- Alpine (install the latest from edge):
sudo apk add docker --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community
Add user to docker
group
The Docker daemon is a service that Docker requires to be running in the background. The service (dockerd
) and client (docker
) communicate over a socket and/or a network port. For communication over the socket, privileged access is required. Two ways to obtain this access:
- Run
docker
as root (i.e.sudo docker
) - Through group membership, grant specific users privileged access to the Docker socket
In other words, unless you want to utilize sudo
or root access every time, add your user to the Docker group, named docker
:
- Fedora/Ubuntu/Debian:
sudo usermod -aG docker $USER
- Alpine:
sudo addgroup $USER docker
Then close that WSL window, and launch WSL again. You should see docker
when you run the command groups
to list group memberships.
Sharing dockerd: choose a common ID for the docker
group
If you only plan on using one WSL distro, this next step isn't strictly necessary. However, if you would like to have the option of sharing the Docker socket system-wide, across WSL distributions, then all will need to share a common group ID for the group docker
. By default, they each may have a different ID, so a new one is in order.
First, let's pick one. It can be any group ID that is not in use. Choose a number greater than 1000 and less than 65534. To see what group IDs are already assigned that are 1000 or above:
getent group | cut -d: -f3 | grep -E '^[0-9]{4}' | sort -g
Can't decide what number to use? May I suggest 36257. (Just dial DOCKR on your telephone keypad...) Not likely to be already in use, but check anyway:
getent group | grep 36257 || echo "Yes, that ID is free"
If the above command returns a line from /etc/group
(that does not include docker
), then pick another number and try again. If it returns "Yes, that ID is free" then you are good to go, with the following:
sudo sed -i -e 's/^\(docker:x\):[^:]\+/\1:36257/' /etc/group
Or, if groupmod
is available (which it is on Fedora, Ubuntu, and Debian, but not Alpine unless you sudo apk add shadow
), this is safer:
sudo groupmod -g 36257 docker
Once the group id has been changed, close the terminal window and re-launch your WSL distro.
Note that the above steps involving the docker
group will need to be run on any WSL distribution you currently have or install in the future, if you want to give it access to the shared Docker socket.
(Optionally) prepare a shared directory
As with the last step, if you only plan on using one WSL distro, this next step isn't strictly necessary. However, if you would like to have the option of sharing the Docker socket system-wide, across WSL distributions, then a shared directory accessible to all is needed.
Let's first make a shared directory for the docker socket, and set permissions so that the docker group can write to it.
DOCKER_DIR=/mnt/wsl/shared-docker
mkdir -pm o=,ug=rwx "$DOCKER_DIR"
chgrp docker "$DOCKER_DIR"
Configure dockerd
to use the shared directory
Again, this step can be skipped if you opt against using a shared directory for the docker socket. However, you may have other settings you wish to put in daemon.json
, so you may appreciate some familiarity with this topic.
I suggest using the configuration file /etc/docker/daemon.json
to set dockerd launch parameters. If the /etc/docker
directory does not exist yet, create it with sudo mkdir /etc/docker/
so it can contain the config file. Then the following, when placed in /etc/docker/daemon.json
, will set the docker host to the shared socket:
{
"hosts": ["unix:///mnt/wsl/shared-docker/docker.sock"]
}
Launch dockerd
Most Linux distributions use systemd or other init system, but WSL has its own init system. Rather than twist things to use the existing init system, we just launch dockerd
directly:
sudo dockerd
There should be several lines of info, warnings related to cgroup blkio
, and the like, with something like API listen on /mnt/wsl/shared-docker/docker.sock
at the end. If so, you have success.
Open another wsl terminal.
If and only if you opted to use the shared docker socket in /mnt/wsl/shared-docker
as detailed above, first set the DOCKER_HOST
environment variable:
export DOCKER_HOST="unix:///mnt/wsl/shared-docker/docker.sock"
Then, try out the docker cli:
docker run --rm hello-world
You should see the "Hello from Docker!" message.
Launch script for dockerd
The following lines can be placed in .bashrc
or .profile
if autolaunching is desired, or in a separate shell script. For instance, you may want to create a script ~/bin/docker-service
so that you can run docker-service
only when you want, manually.
DOCKER_DISTRO="Debian"
DOCKER_DIR=/mnt/wsl/shared-docker
DOCKER_SOCK="$DOCKER_DIR/docker.sock"
export DOCKER_HOST="unix://$DOCKER_SOCK"
if [ ! -S "$DOCKER_SOCK" ]; then
mkdir -pm o=,ug=rwx "$DOCKER_DIR"
chgrp docker "$DOCKER_DIR"
/mnt/c/Windows/System32/wsl.exe -d $DOCKER_DISTRO sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_DIR/dockerd.log 2>&1"
fi
If you went with the default docker socket location of /var/run/docker.sock
instead of the shared socket directory of /mnt/wsl/shared-docker
as detailed above, then the script can be something like this:
DOCKER_DISTRO="Debian"
DOCKER_LOG_DIR=$HOME/docker_logs
mkdir -pm o=,ug=rwx "$DOCKER_LOG_DIR"
/mnt/c/Windows/System32/wsl.exe -d $DOCKER_DISTRO sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_LOG_DIR/dockerd.log 2>&1"
You may choose whatever location you would like for your docker logs, of course. It just needs to be in a place that has permissions so that your user can write to it.
Note that DOCKER_DISTRO
should be set to the distro you want to have running dockerd
. If unsure of the name, simply run wsl -l -q
from Powershell to see your list of WSL distributions. Pick the right one and set it to DOCKER_DISTRO
.
The script above does the following:
- Sets the environment variable
$DOCKER_HOST
to point to the shared socket. This isn't necessary fordockerd
but it will allow runningdocker
without needing to specify-H unix:///mnt/wsl/shared-docker/docker.sock
each time. - Checks if the
docker.sock
file already exists and is a socket. If it is present, do nothing. If not present then the script does the remaining steps, as follows. - Creates the shared docker directory for the socket and
dockerd
logs, setting permissions appropriately - Runs
dockerd
from the specified distro. This is important, because it allows any WSL distro to launchdockerd
if it isn't already running. - When
dockerd
is launched, pipe its output and errors to a shared log file. - When
dockerd
is launched, it runs in the background so you don't have to devote a terminal window to the process as we did earlier. Thesudo -b
flag gives us this, and we run withnohup
so that it runs independent of the terminal, with an explicit null input tonohup
to avoid extra warnings. Both standard output and errors are written to the logfile, hence the2>&1
redirect.
Passwordless launch of dockerd
If the above script is placed in .bashrc
(most Linux distros) or .profile
(distros like Alpine that have Ash/Dash as the default shell), or other shell init script, then it has an unfortunate side effect: you will likely be prompted for a password most every time a new terminal window is launched.
To work around this, you can, if you choose, tell sudo
to grant passwordless access to dockerd
, as long as the user is a member of the docker
group. To do so, enter sudo visudo
and add the following line (if your visudo
uses vi
or vim
, then be sure to press "i
" to begin editing, and hit ESC when done editing):
%docker ALL=(ALL) NOPASSWD: /usr/bin/dockerd
Save and exit (":wq
" if the editor is vi
, or Ctrl-x if it is nano
), and then you can test if sudo dockerd
prompts for a password or not. For peace of mind, you can double-check: something like sudo -k ls -a /root
should still require a password, unless the password has been entered recently.
Make sure $DOCKER_HOST
is always set
If using the script earlier to launch dockerd
, then $DOCKER_HOST
will be set, and future invocations of docker
will not need an unwieldy -H unix:///mnt/wsl/shared-docker/docker.sock
If that script is already in your .bashrc
or .profile
, then the following is unnecessary. If, however, you manually invoke dockerd
in some way, then the following may be desirable in your .bashrc
or .profile
, if you opted for the shared docker socket directory:
DOCKER_SOCK="/mnt/wsl/shared-docker/docker.sock"
test -S "$DOCKER_SOCK" && export DOCKER_HOST="unix://$DOCKER_SOCK"
The above checks for the docker socket in /mnt/wsl/shared-docker/docker.sock
and, if present, sets the $DOCKER_HOST
environment variable accordingly. If you want a more generalized "if this is wsl, then set the socket pro-actively" then you may prefer the following, which simply check for the existence of a /mnt/wsl
directory and sets the docker socket if so:
[ -d /mnt/wsl ] && export DOCKER_HOST="unix:///mnt/wsl/shared-docker/docker.sock"
Running docker
from Windows
If configured as above, I recommend always running docker from wsl. Do you want to run a container? Do so from a WSL window. (See my article on using Windows Terminal for a convenient way to use WSL and Powershell.)
This doesn't just apply to the terminal, either. For instance, VSCode supports docker in WSL 2.
But if you want the convenience and utility of running docker in a Powershell window, I have a couple suggestions.
One is to expose dockerd
over a TCP Port, or, better yet, set up an SSH server in WSL and connect that way. docker context
will likely be your friend. Such methods will be explored in a later article, but I encourage you, reader, to explore. A hint: ever tried scoop.sh? After setting it up, scoop install docker docker-compose
will get you some familiar tools, then an SSH server such as Dropbear or OpenSSH on the WSL side...
A simplified method I recommend: a Powershell function that calls the WSL docker
, passing along any arguments. This function can be placed in your Powershell profile, usually located at ~\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
$DOCKER_DISTRO = "fedora"
function docker {
wsl -d $DOCKER_DISTRO docker -H unix:///mnt/wsl/shared-docker/docker.sock @Args
}
Again, try wsl -l -q
to see a list of your WSL distributions if you are unsure which one to use.
Make sure the Docker daemon is running, then launch a new Powershell window, and try the hello-world
container again. Success?
You could also make a batch file with the appropriate command in it. For instance, name it docker.bat
and place in C:\Windows\system32
or other location included in %PATH%
. The following contents will work in such a script:
@echo off
set DOCKER_DISTRO=fedora
wsl -d %DOCKER_DISTRO% docker -H unix:///mnt/wsl/shared-docker/docker.sock %*
You could go a step further and ensure that dockerd
is running whenever you start Powershell. Assuming that the dockerd
start script detailed above is saved in a file in WSL as $HOME/bin/docker-service
and is executable (try chmod a+x $HOME/bin/docker-service
), then the following line in your Powershell profile will launch dockerd
automatically:
wsl -d $distro ~/bin/docker-service
Not sure where your Powershell profile is located? Try entering $profile
in a powershell window.
If you don't want to rely on a particular WSL shell script, you could implement a Powershell function to launch dockerd, such as this:
function Docker-Service {
Param ([string]$distro)
$DOCKER_DIR = "/mnt/wsl/shared-docker"
$DOCKER_SOCK = "$DOCKER_DIR/docker.sock"
wsl -d "$distro" sh -c "[ -S '$DOCKER_SOCK' ]"
if ($LASTEXITCODE) {
wsl -d "$distro" sh -c "mkdir -pm o=,ug=rwx $DOCKER_DIR ; chgrp docker $DOCKER_DIR"
wsl -d "$distro" sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_DIR/dockerd.log 2>&1"
}
}
This function takes one parameter: the distro name.
In all of the above, the principle is the same: you are launching Linux executables, using WSL interoperability.
A note on bind mounts: stay on the Linux filesystem
With docker, it is possible to mount a host system's directory or files in the container. The following often works, but is not advisable when launching WSL docker from Windows:
echo "<h1>Hello, World</h1>" > index.html
docker run -p "8080:80" -v "$PWD:/usr/share/nginx/html:ro" nginx
Instead of doing the above haphazardly, when launching WSL docker from Powershell, two recommendations:
- For performance reasons, only bind mount from within the Linux filesystem. To get to a Linux directory while in Powershell, try something like
cd (wsl wslpath -m ~/path/to/my/dir)
- Instead of
$PWD
to get the current directory, try'$(wslpath -a .)'
and, yeah, the single quotes are helpful for escaping.
An example:
cd (wsl wslpath -m ~)
mkdir html
cd html
echo "<h1>Hello, World</h1>" > index.html
docker run -p "8080:80" -v '$(wslpath -a .):/usr/share/nginx/html:ro' nginx
Then point your browser to http://localhost:8080, and happiness will result. (Depending on your network configuration, you may instead need to access this through http://[WSL IP Address]:8080 which should be obtainable with ifconfig
or ip addr
)
Try wsl wslpath
from Powershell, or just wslpath
from Linux, to see the options. This is a very useful tool, to say the least.
Example scripts
After walking through the steps in this article, you should now have a working and potentially auto-launched dockerd
, shared Docker socket, and conveniently configured docker
command.
Some of the code examples above have been placed in scripts in a companion Github repo. I summarize the files available here:
-
docker-service.sh is a Unix shell script to launch
dockerd
-
docker-service.ps1 contains a Powershell function to launch
dockerd
in WSL -
docker.bat is a Windows batch file for launching WSL
docker
from CMD -
docker.ps1 contains a Powershell function for launching WSL
docker
from Powershell, if placed in your profile
No doubt there are ways these can be tweaked to be more useful and reliable; feel free to post in the comments.
Interested in further tinkering with WSL 2?
Other articles I have written on WSL:
Top comments (134)
I'll never understand why developers who write code to run in linux fight with windows. Just run linux native. This isn't the 90's anymore, it is really super easy to run linux on your local dev machine and every program you would want for dev that is worth running already runs on linux.
Usually because I need
But yes, I used WSL2 enough that moved to a second PC with native Linux.
I am familiar with those circumstances.
For me, using WSL isn't a choice against Linux, but a choice to use Linux everywhere. A Linux dev machine is quite desirable. Even with that, I will still run WSL on any Windows machine I can. Because I do a lot from the command line, and I often want that command line to be Linux, no matter the location or network connectivity.
Corporate.
We tried. But I have other things to do than spend my time trying to argue with people that we should be allowed to get Linux machines on our corporate network.
The only option that we had is to run a corporate-managed VM on Azure, with their own "linux" which is a special build from oracle that I never heared of before they mentionned it, and where no open source tools seems to offer any kind of support.
WSL is the only option that I have. HyperV is not stable enough on Linux, and VirtualBox is blocked by corporate rules.
Windows can do a lot of things linux cant and has a lot of cutting edge hardware support. Sometimes you need this simple as that.
However I agree developing linux apps with docker on windows can be a pain I'd recommend just installing linux on a dedicated machine for that purpose if you can.
Here are the problems I had on Ubuntu (note that I really wanted to work on linux since our servers run on linux) :
^^ This.
Stop running Windows unless you really have to.
I work on client/server software. The client is Windows; the server is not.
I will readily admit being a Linux newbie despite I installed Slackware with Linux 0.99pl15 for the first time from a stack of floppies early 1994. I am still running Linux on servers to this day. I ran Linux dual boot from 2000-2004 and then as a daily driver 2004-2017. It was a miserable experience. The choices are running Ubuntu where upgrading every six months shatters your OS so badly you can't work for days or Arch where upgrades often break one of your printer/scanner/Bluetooth. Connecting to any sort of enterprise-y VPN or WiFi just doesn't work. I don't care whether it's the fault of F5 or the community for not working -- if I can't VPN in, I can't work.
So the reason I use Windows is because that's where the driver support is. Plain and simple. And I use WSL2 because Linux excels at CLI and daemons.
Todd, many people are provisioned corporate laptops. In many regions also you cannot get a linux or Mac from the company, only Windows. WSL2 is, generally, better than the old cygwin many of us used decades ago. So no, it's not an automatic that developers get to use the best OS ever made.
I have tried with multiple laptops (and multiple distros) and even with so many customisations, laptops keep heating up on idle.
Not so ideal for development with that heat on my hand . I do wish it'd change some day. Been waiting for years now.
That sounds odd. Ive been running WSL on potato laptops and now I high end one with no heat issues at all.
Fight? There's no fight between Windows and Linux since wsl2. It's a peaceful symbiosis.
somewhat peaceful, but following DOCKER0 from WSL2 out to the host network has issues in some configurations with Docker Desktop where installing docker directly into WSL works.
Brilliant article - thanks for the thorough write up @bowmanjd!
I'm curious why you'd use a custom script to start
dockerd
rather than just usingservice docker start
?Is it just to control the shared docker socket location, or are there other reasons?
(I'm running Ubuntu-22.04)
xref: docs.microsoft.com/en-us/windows/w...
Great point. If using only one distro, and that distro is Ubuntu,
service docker start
should work well. It could be embedded in a script, I suppose, and launched from other distros or Powershell. But I wanted something truly distro-agnostic.Also note that a boot command in
/etc/wsl.conf
is only available on Windows 11.Hi Jonathan, great article, thank you!
A couple of updates when running in Windows 11H2 (and Ubuntu 22.04 in my case):
1)
systemd
is now native in Windows 11H2, BUT needs an updated WSL2 install (I was using WSL v0.63 and I believe nativesystemd
support is in v0.68 onwards) - otherwise you getUpgrading WSL to latest version means that updating
/etc/wsl.conf
withthen works as desired...
2) We also need
containerd
installed - I used the manual steps from here and that worked for me howtoforge.com/how-to-install-cont...Those two steps joined the dots and now docker is running without docker desktop :)
Russ
What!??? When did this happen? No one tells me these things. Except for you, of course, for which I am extremely grateful. Well, this is a game changer. I will work on updating the instructions for systemd, then!
Weird -- containerd is already installed on mine; I can update the instructions accordingly. Thank you so much!
I'm running things with systemd now, I'm just struggling on how to launch that script which ensures the docker.sock is created before launching the actual docker service. So if you could include that in a rewrite that would be nice :)
I have been pulling my hair for 8 days trying to run Docker on WSL2 without too many problems arising from nowhere with limited Linux experience. This article really helped me pull through it all. Kudos to you, Jonathan! Great detailed and crystal-clear article!
So glad you found it helpful!
It might be worth mentioning that as of a few months ago, the default WSL2 install (Ubuntu) can be configured to support systemd with a two-line config file. I only just finished the install so I can't confirm that everything works 100% out of the box, but after rebooting the VM,
dockerd
was running as expected.According to this article from Microsoft, systemd is now enabled by default for the default Ubuntu WSL distribution installed with WSL and installable from the Microsoft Store.
Installing the distribution-maintained version of Docker is now as simple as:
Close the Ubuntu Terminal and re-open it (to make the group add take effect) and test that it works:
and Bob's your uncle. All done in less than a minute's work.
Beautiful!
Hey, great stuff! It is actually possible to expose docker.sock from WSL so that it is accessible by Windows applications. In fact this is what Docker Desktop is doing, allowing all Windows native applications to use npipe docker context. It requires a small proxy application to make it work though. To make it easy to use I have packaged it into a container, so it is easy to deploy with a single docker run.
Read more about this here
Hi, followed everything but on doing sudo dockered getting this error.
WARN[2021-10-24T16:24:00.993150800+05:30] grpc: addrConn.createTransport failed to connect to {unix:///var/run/docker/containerd/containerd.sock 0 }. Err :connection error: desc = "transport: Error while dialing dial unix:///var/run/docker/containerd/containerd.sock: timeout". Reconnecting... module=grpc
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgrade
What helped me in similar situation:
dockerd
I got this so I just added "iptables": false to my daemon.json and this error was averted. In the original post it says you only need to do this for Debian but not Ubuntu, and I'm using Ubuntu so I skipped that step originally. But in the end, turned out it was required.
I did that but it did not work for me. Now I have started using docker desktop again.
Hi,
Thanks for this post, very useful previously. For information, we can now install Podman desktop (and podman with MSI file), experimental but interressing.
I will definitely try that, and update the article. Thank you!
For some reason I can't get internet connection inside the container.
Hi, I have exactly the same issue... @bowmanjd can you share any hint about how to get Internet connection working on docker containers running on WSL2?
Interesting... What sort of errors are you seeing? Is it all internet connectivity, or just DNS?
It is all internet connectivity: I cannot ping 1.1.1.1 but I can ping the docker host from a container.
BTW I solved this issue switching from Debian to Ubuntu as WSL2 distro.
I'm having same issue, using Debian 11 on WSL2. With a Dockerfile containing only:
FROM centos:7
RUN yum -y install httpd
I was getting yum errors not resolving the name of the mirror server:
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"
Since I could resolve the name of the server from Debian WSL2 with no issue, I knew my DNS was working there. So I added some sleuthing to the Dockerfile:
FROM centos:7 RUN cat /etc/resolv.conf && ping -v -c2 host.docker.internal && ping -v -c2 1.1.1.1 && ping -v google.com && ping -v mirrorlist.centos.org RUN echo "timeout=30" >> /etc/yum.conf && cat /etc/yum.conf && yum -y install httpd
and run docker build with
--add-host=host.docker.internal:host-gateway
, I can see that I can ping the host from the container, but the container cannot seem to ping any external ip, even the cloudflare dns 1.1.1.1 or google's 8.8.8.8.I've played around with setting DNS in the container explicitly using the /etc/docker/daemon.json with things like
"dns": ["1.1.1.1", "8.8.8.8"]
, but if the container can't even get connectivity to these ips that's not going to work..My Debian environment does not have any iptables configured. I'm flummoxed.
I found my debian environment is configured to use iptables-nft:
$> sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
But I was getting no rules generated by iptables-nft-save, and several rules generated by iptables-legacy-save, so I explicitly update-alternatives to iptables-legacy and rebooted (host and wsl2/debian). (Will report back with results..)
Still same error after switching explicitly to iptables-legacy in debian 11. FWIW, I'm also passing the following dns servers to my containers via docker daemon.json:
I've tried putting the google and cloudflare dns first in this order, to no avail.
The issue is more easily reproduced on my system by just running ping commands inside the latest alpine image:
The problem was that even though I had reverted to iptables-legacy in Debian, I still had
iptables: "false"
in my docker daemon.json. On removing that, docker can use its default iptables impl and work with Debian Bullseye. Now, my containers can access "the internet".I realize that your post indicated to use iptables: false as a way to get debian wsl2 instances to work with docker. But that never worked for me for some reason.
Yeah, I have actually changed the instructions, removing the iptables:false, as using iptables-legacy seems like the right way to do it.
I had the same issue with Ubuntu in WSL2. Removing iptables: "false" from the daemon.json and switching to iptables-legacy did the trick. No full reboot was necessary, running "wsl --shutdown" in powershell + reopening the ubuntu shell did the trick. Thanks!