DEV Community

Cover image for Install Docker on Windows (WSL) without Docker Desktop
Jonathan Bowman
Jonathan Bowman

Posted on • Updated on

Install Docker on Windows (WSL) without Docker Desktop

Updated April 10, 2022, with current Alpine instructions, Debian/Ubuntu package signing tweaks (no more apt-key), and better guidance for handling iptables in Debian. A little more suggestion about TCP access, as well. And further emphasis on the optional nature of the /mnt/wsl/shared-docker socket directory.

Windows Subsystem for Linux 2 sports an actual Linux kernel, supporting real Linux containers and Docker. Docker works on WSL 2, and without requiring the robust but heavy Docker Desktop if that is undesirable. However, due to both WSL and Docker complexities, a little tender loving care is required to get Docker up and running. This article attempts to explore such a process and options along the way.

Contrary to what the length of this article might suggest, getting Docker working on WSL is fairly simple. In a nutshell:

  • Instead of using an init system such as systemd to launch the Docker daemon, launch it by calling dockerd manually.
  • If sharing the Docker daemon between WSL instances is desired, configure it to use a socket stored in the shared /mnt/wsl directory.
  • If sharing and privileged access without sudo are desired, configure the docker group to have the same group ID across all WSL instances
  • For simplicity, rather than launch a Windows-based Docker client, launch docker inside WSL.

Plenty more nuance and decisions below, of course. See details regarding the companion Github repo by scrolling to the bottom.

Are you sure you don't want Docker Desktop?

Before proceeding, let's note that Docker Desktop is amazing. If you want Docker to work on Windows and WSL 2, installing Docker Desktop is most likely the way to go. With Docker Desktop's WSL 2 backend, Docker integrates with Windows in a fairly elegant way, and the docker client can be launched from either Powershell or Linux. Reading about what goes on under the hood is an entertaining and informative endeavor, as well. Very clever.

If you came here looking how to get Docker running easily, or if you want Windows containers (still a rarity) out of the box, then Docker Desktop is your friend, and you can go install it now.

But if you, like me, feel that all the added complexity of Docker Desktop is unnecessary, you don't need Windows containers, or you are simply tired of that whale in the system tray taking... so... long... then perhaps you want to run the docker daemon (dockerd) in the WSL distro of your choice and be happy. You are at the right place.

Note that Docker Desktop is only free individuals or for small companies. If you are using it for work, and your company exceeds a certain size or revenue, then consider paying for a subscription. Of course, if you use Docker without Docker Desktop, as detailed in this article, then this does not apply. See more details about the Docker subscription model here.

Have you tried Podman?

Podman

Before we mosey along, though: are you aware of Podman? Podman is daemonless (no background service needed), modern (cgroups v2 out of the box), supports rootless, and serves as a drop-in replacement for Docker. Without needing to worry about sockets and ports, a lot of headaches go away.

I have written about getting Podman to work on WSL 2. Feel free to try it out. You may never look back. And, yes, VSCode can work with podman.

And yet... Sometimes, one just needs Docker to work. Maybe some tooling you use can't handle Podman, or you just want to put WSL through its paces. If so, read on.

Make sure that WSL is version 2

Please note that these steps require WSL 2 (not version 1). WSL 2 uses an actual Linux kernel that allows Linux containers. WSL 1 was genius with running Linux on the Windows kernel, but of course lacked some of the features, such as containers. Microsoft offers a more detailed comparison in the docs.

You will most certainly need WSL 2 to run the Docker service.

Does the command wsl --set-default-version 2 work? This will set the default version to WSL 2, or fail if you are still on the first version.

Microsoft's has step-by-step instructions on how to upgrade to WSL 2.

To run WSL 2, Windows version 1903 or higher is needed, with Build 18362 or higher. To tell what version you are running, run winver in Powershell or CMD, or just type Win key and R (⊞-r) to open the Run dialog and then enter winver. Hopefully you will see something like "Version 21H2. OS Build 19044.1586"

Install a Linux distro

If you do not yet have a running WSL instance with a distro of your choice, the next step is to pick one from the Microsoft Store. If you dislike the Windows Store, there are other options.

Custom installations are also a great option with WSL 2. For instance, install and configure Fedora, or any other distro for which you can obtain a rootfs in tar format and then wsl --import rootfs.tar.

This guide includes instructions for launching dockerd in Debian, Ubuntu, Alpine, and Fedora. If you think there is another obvious WSL distro that should be considered, feel free to let me know in the comments.

Configure a non-root user

Once you have installed the distro of your choice, launch it and set up a non-root user if you have not already. Debian and Ubuntu will configure this automatically at first launch, as should Alpine if you installed it from the Store. If the whoami command returnes "root", then you will want to add a non-root user. For Alpine or Fedora, use adduser myusername to create a new user. On Alpine, this should prompt for the new password. On Fedora, you will additionally need to passwd myusername and enter the password you want to use. (If your Fedora does not have passwd, then you will need to first dnf install passwd cracklib-dicts).

On later versions of Alpine from the Microsoft Store, while a non-root user is created as part of setup, this user is initially password-less. You can double check on any distro with:



cat /etc/shadow | grep myusername | cut -d: -f2


Enter fullscreen mode Exit fullscreen mode

(If you are not root, you may need to su first).

If the result is "!" then that user has no password set. If the result is a random hash string, then you are good. If you need to set a password, you can use passwd myusername (of course, in all of the above, use your username in place of "myusername."

Configure admin (sudo) access for the non-root user

If you used Debian or Ubuntu from the Windows store and set up the default user on first launch, then sudo should already be configured on behalf of the default user. You can skip this step, and proceed to updating packages and testing network connectivity, below.

When signed in as the user you set up (try su myusername if you are still root), can you sudo -v without an error?

If not, first make sure that sudo is installed. On Alpine, that's apk add sudo and on Fedora, dnf install sudo. If this fails due to network connectivity, see below. You can follow the directions there in order to correct DNS, but of course eliminate any occurrence of sudo in those commands, as you do not have it yet, and you should still be root anyway.

Is your user a "sudoer"? Try the following to see if they are part of the sudo or wheel group:



grep -E 'sudo|wheel' /etc/group


Enter fullscreen mode Exit fullscreen mode

On distros that have a sudo group, such as Ubuntu and Debian, you should see something like sudo:x:27:myusername and on distros that have a wheel group, such as Fedora and Alpine, you should see something like wheel:27:myusername.

If your username is missing from the group, take note of the group name (sudo or wheel) and add the user in question to that group:

  • Alpine: addgroup myusername wheel
  • Fedora: usermod -aG wheel myusername
  • Probably not necessary, but on Ubuntu/Debian: usermod -aG sudo myusername

Finally, as root, make sure that the admin group (whether sudo or wheel) is enabled for sudo:



grep -E '%sudo|%wheel' /etc/sudoers


Enter fullscreen mode Exit fullscreen mode

If the line is there, but commented out with a #, then run visudo then make sure the line reads thus (use wheel or sudo as determined earlier):



%wheel ALL=(ALL) ALL


Enter fullscreen mode Exit fullscreen mode

Then save.

Once these steps are complete, test again with:



su myusername
sudo -v


Enter fullscreen mode Exit fullscreen mode

If you are prompted for the password, then all is well. If you instead received an error containing something like "Sorry, user myusername may not run sudo" then you may need to follow the steps again, from the beginning.

Set default user

If you obtained your Linux distro from the Store, you can likely skip this step, as the default user is already set up.

If, however, when you launch WSL, you are still root, then set your new user as the default.

Assuming you have Windows build 18980 or later: simply add a user section to /etc/wsl.conf.

Something like this will work well if you do not already have that file, or a [user] section in it:



printf "\n[user]\ndefault = myusername\n" | sudo tee -a /etc/wsl.conf


Enter fullscreen mode Exit fullscreen mode

However, if on a version of Windows before build 18980, then you will instead need to edit the registry to set a default user. Before doing this, we will need two bits of information: the user id, and the name of the WSL distro. Chances are, you already know these. If not, you can obtain the user id with id -u myusername and check your list of WSL distros with (in Powershell) wsl -l

Then, use the following command in Powershell, but use your WSL distro name in place of "Alpine" and use your user id in place of "1000":



Get-ItemProperty Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Lxss\*\ DistributionName | Where-Object -Property DistributionName -eq Alpine  | Set-ItemProperty -Name DefaultUid -Value 1000


Enter fullscreen mode Exit fullscreen mode

Whichever method you use, test by logging out of WSL, and then log back in. Confirm that whoami yields the correct username. Success.

Update/upgrade packages and test network connectivity

Let's make everything new and shiny with one of the following:

  • Debian/Ubuntu: sudo apt update && sudo apt upgrade
  • Fedora: sudo dnf upgrade
  • Alpine: sudo apk upgrade -U

Network issues?

Upgrading the packages also serves as a network test. For a variety of reasons, network connectivity issues can happen with WSL 2, and tweaking the DNS settings often resolves these problems in my experience. If the upgrade command succeeded, you can skip this section. But if the above commands fail to access the package servers, it may be something unique to your network, or your firewall or anti-malware software. I recommend the following:



echo -e "[network]\ngenerateResolvConf = false" | sudo tee -a /etc/wsl.conf
sudo unlink /etc/resolv.conf
echo nameserver 1.1.1.1 | sudo tee /etc/resolv.conf


Enter fullscreen mode Exit fullscreen mode

The first line tells WSL to cease auto-configuring the /etc/resolv.conf file. Then we remove/unlink the old file, and create a new one.

With this newly-configured DNS resolver (in this case, pointing directly to Cloudflare's DNS server) you can try upgrading packages again. Success? Excellent.

Prepare for Docker installation

Thankfully, there are official guides for installing Docker on various Linux distributions. I have based these instructions on those, with some tweaks learned from real world testing.

Remove residue

If this is not a fresh install, and you may have experimented with docker before, then first clear out any residual docker installs:

  • Fedora: sudo dnf remove moby-engine docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
  • Debian/Ubuntu: sudo apt remove docker docker-engine docker.io containerd runc
  • Alpine (probably not necessary, but just in case): sudo apk del docker-cli docker-ce docker-openrc docker-compose docker

Install dependencies

Then, install pre-requisites:

  • Debian/Ubuntu: sudo apt install --no-install-recommends apt-transport-https ca-certificates curl gnupg2
  • Fedora: sudo dnf install dnf-plugins-core
  • Alpine: Nothing needed. Dependencies will be installed later, automatically.

Debian: switch to legacy iptables

Docker utilizes iptables to implement network isolation. For good reason, Debian uses the more modern nftables, but this means that Docker cannot automatically tweak the Linux firewall. Given this, you probably want to configure Debian to use the legacy iptables by default:



update-alternatives --config iptables


Enter fullscreen mode Exit fullscreen mode

And select iptables-legacy.

If you are comfortable, instead, with nftables and want to configure nftables manually for Docker, then go for it. I suspect that most, however, will want to switch to iptables legacy.

Debian/Ubuntu package repository configuration

On Debian or Ubuntu, first temporarily set some OS-specific variables:



. /etc/os-release


Enter fullscreen mode Exit fullscreen mode

Then, make sure that apt will trust the repo:



curl -fsSL https://download.docker.com/linux/${ID}/gpg | sudo tee /etc/apt/trusted.gpg.d/docker.asc


Enter fullscreen mode Exit fullscreen mode

ID will be either "ubuntu" or "debian", as appropriate, depending on what is in /etc/os-release.

Then add and update the repo information so that apt will use it in the future:



echo "deb [arch=amd64] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update


Enter fullscreen mode Exit fullscreen mode

Fedora package repository configuration

On Fedora, first add Docker's repo:



sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo


Enter fullscreen mode Exit fullscreen mode

Install Docker

Now we can install the official Docker Engine and client tools:

  • Debian/Ubuntu: sudo apt install docker-ce docker-ce-cli containerd.io
  • Fedora: sudo dnf install docker-ce docker-ce-cli containerd.io
  • Alpine (install the latest from edge): sudo apk add docker --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community

Add user to docker group

The Docker daemon is a service that Docker requires to be running in the background. The service (dockerd) and client (docker) communicate over a socket and/or a network port. For communication over the socket, privileged access is required. Two ways to obtain this access:

  • Run docker as root (i.e. sudo docker)
  • Through group membership, grant specific users privileged access to the Docker socket

In other words, unless you want to utilize sudo or root access every time, add your user to the Docker group, named docker:

  • Fedora/Ubuntu/Debian: sudo usermod -aG docker $USER
  • Alpine: sudo addgroup $USER docker

Then close that WSL window, and launch WSL again. You should see docker when you run the command groups to list group memberships.

Sharing dockerd: choose a common ID for the docker group

If you only plan on using one WSL distro, this next step isn't strictly necessary. However, if you would like to have the option of sharing the Docker socket system-wide, across WSL distributions, then all will need to share a common group ID for the group docker. By default, they each may have a different ID, so a new one is in order.

First, let's pick one. It can be any group ID that is not in use. Choose a number greater than 1000 and less than 65534. To see what group IDs are already assigned that are 1000 or above:



getent group | cut -d: -f3 | grep -E '^[0-9]{4}' | sort -g


Enter fullscreen mode Exit fullscreen mode

Can't decide what number to use? May I suggest 36257. (Just dial DOCKR on your telephone keypad...) Not likely to be already in use, but check anyway:



getent group | grep 36257 || echo "Yes, that ID is free"


Enter fullscreen mode Exit fullscreen mode

If the above command returns a line from /etc/group (that does not include docker), then pick another number and try again. If it returns "Yes, that ID is free" then you are good to go, with the following:



sudo sed -i -e 's/^\(docker:x\):[^:]\+/\1:36257/' /etc/group


Enter fullscreen mode Exit fullscreen mode

Or, if groupmod is available (which it is on Fedora, Ubuntu, and Debian, but not Alpine unless you sudo apk add shadow), this is safer:



sudo groupmod -g 36257 docker


Enter fullscreen mode Exit fullscreen mode

Once the group id has been changed, close the terminal window and re-launch your WSL distro.

Note that the above steps involving the docker group will need to be run on any WSL distribution you currently have or install in the future, if you want to give it access to the shared Docker socket.

(Optionally) prepare a shared directory

As with the last step, if you only plan on using one WSL distro, this next step isn't strictly necessary. However, if you would like to have the option of sharing the Docker socket system-wide, across WSL distributions, then a shared directory accessible to all is needed.

Let's first make a shared directory for the docker socket, and set permissions so that the docker group can write to it.



DOCKER_DIR=/mnt/wsl/shared-docker
mkdir -pm o=,ug=rwx "$DOCKER_DIR"
chgrp docker "$DOCKER_DIR"


Enter fullscreen mode Exit fullscreen mode

Configure dockerd to use the shared directory

Again, this step can be skipped if you opt against using a shared directory for the docker socket. However, you may have other settings you wish to put in daemon.json, so you may appreciate some familiarity with this topic.

I suggest using the configuration file /etc/docker/daemon.json to set dockerd launch parameters. If the /etc/docker directory does not exist yet, create it with sudo mkdir /etc/docker/ so it can contain the config file. Then the following, when placed in /etc/docker/daemon.json, will set the docker host to the shared socket:



{
  "hosts": ["unix:///mnt/wsl/shared-docker/docker.sock"]
}


Enter fullscreen mode Exit fullscreen mode

Launch dockerd

Most Linux distributions use systemd or other init system, but WSL has its own init system. Rather than twist things to use the existing init system, we just launch dockerd directly:



sudo dockerd


Enter fullscreen mode Exit fullscreen mode

There should be several lines of info, warnings related to cgroup blkio, and the like, with something like API listen on /mnt/wsl/shared-docker/docker.sock at the end. If so, you have success.

Open another wsl terminal.

If and only if you opted to use the shared docker socket in /mnt/wsl/shared-docker as detailed above, first set the DOCKER_HOST environment variable:



export DOCKER_HOST="unix:///mnt/wsl/shared-docker/docker.sock"


Enter fullscreen mode Exit fullscreen mode

Then, try out the docker cli:



docker run --rm hello-world


Enter fullscreen mode Exit fullscreen mode

You should see the "Hello from Docker!" message.

Launch script for dockerd

The following lines can be placed in .bashrc or .profile if autolaunching is desired, or in a separate shell script. For instance, you may want to create a script ~/bin/docker-service so that you can run docker-service only when you want, manually.



DOCKER_DISTRO="Debian"
DOCKER_DIR=/mnt/wsl/shared-docker
DOCKER_SOCK="$DOCKER_DIR/docker.sock"
export DOCKER_HOST="unix://$DOCKER_SOCK"
if [ ! -S "$DOCKER_SOCK" ]; then
    mkdir -pm o=,ug=rwx "$DOCKER_DIR"
    chgrp docker "$DOCKER_DIR"
    /mnt/c/Windows/System32/wsl.exe -d $DOCKER_DISTRO sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_DIR/dockerd.log 2>&1"
fi


Enter fullscreen mode Exit fullscreen mode

If you went with the default docker socket location of /var/run/docker.sock instead of the shared socket directory of /mnt/wsl/shared-docker as detailed above, then the script can be something like this:



DOCKER_DISTRO="Debian"
DOCKER_LOG_DIR=$HOME/docker_logs
mkdir -pm o=,ug=rwx "$DOCKER_LOG_DIR"
/mnt/c/Windows/System32/wsl.exe -d $DOCKER_DISTRO sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_LOG_DIR/dockerd.log 2>&1"


Enter fullscreen mode Exit fullscreen mode

You may choose whatever location you would like for your docker logs, of course. It just needs to be in a place that has permissions so that your user can write to it.

Note that DOCKER_DISTRO should be set to the distro you want to have running dockerd. If unsure of the name, simply run wsl -l -q from Powershell to see your list of WSL distributions. Pick the right one and set it to DOCKER_DISTRO.

The script above does the following:

  • Sets the environment variable $DOCKER_HOST to point to the shared socket. This isn't necessary for dockerd but it will allow running docker without needing to specify -H unix:///mnt/wsl/shared-docker/docker.sock each time.
  • Checks if the docker.sock file already exists and is a socket. If it is present, do nothing. If not present then the script does the remaining steps, as follows.
  • Creates the shared docker directory for the socket and dockerd logs, setting permissions appropriately
  • Runs dockerd from the specified distro. This is important, because it allows any WSL distro to launch dockerd if it isn't already running.
  • When dockerd is launched, pipe its output and errors to a shared log file.
  • When dockerd is launched, it runs in the background so you don't have to devote a terminal window to the process as we did earlier. The sudo -b flag gives us this, and we run with nohup so that it runs independent of the terminal, with an explicit null input to nohup to avoid extra warnings. Both standard output and errors are written to the logfile, hence the 2>&1 redirect.

Passwordless launch of dockerd

If the above script is placed in .bashrc (most Linux distros) or .profile (distros like Alpine that have Ash/Dash as the default shell), or other shell init script, then it has an unfortunate side effect: you will likely be prompted for a password most every time a new terminal window is launched.

To work around this, you can, if you choose, tell sudo to grant passwordless access to dockerd, as long as the user is a member of the docker group. To do so, enter sudo visudo and add the following line (if your visudo uses vi or vim, then be sure to press "i" to begin editing, and hit ESC when done editing):



%docker ALL=(ALL)  NOPASSWD: /usr/bin/dockerd


Enter fullscreen mode Exit fullscreen mode

Save and exit (":wq" if the editor is vi, or Ctrl-x if it is nano), and then you can test if sudo dockerd prompts for a password or not. For peace of mind, you can double-check: something like sudo -k ls -a /root should still require a password, unless the password has been entered recently.

Make sure $DOCKER_HOST is always set

If using the script earlier to launch dockerd, then $DOCKER_HOST will be set, and future invocations of docker will not need an unwieldy -H unix:///mnt/wsl/shared-docker/docker.sock

If that script is already in your .bashrc or .profile, then the following is unnecessary. If, however, you manually invoke dockerd in some way, then the following may be desirable in your .bashrc or .profile, if you opted for the shared docker socket directory:



DOCKER_SOCK="/mnt/wsl/shared-docker/docker.sock"
test -S "$DOCKER_SOCK" && export DOCKER_HOST="unix://$DOCKER_SOCK"


Enter fullscreen mode Exit fullscreen mode

The above checks for the docker socket in /mnt/wsl/shared-docker/docker.sock and, if present, sets the $DOCKER_HOST environment variable accordingly. If you want a more generalized "if this is wsl, then set the socket pro-actively" then you may prefer the following, which simply check for the existence of a /mnt/wsl directory and sets the docker socket if so:



[ -d /mnt/wsl ] && export DOCKER_HOST="unix:///mnt/wsl/shared-docker/docker.sock"


Enter fullscreen mode Exit fullscreen mode

Running docker from Windows

If configured as above, I recommend always running docker from wsl. Do you want to run a container? Do so from a WSL window. (See my article on using Windows Terminal for a convenient way to use WSL and Powershell.)

This doesn't just apply to the terminal, either. For instance, VSCode supports docker in WSL 2.

But if you want the convenience and utility of running docker in a Powershell window, I have a couple suggestions.

One is to expose dockerd over a TCP Port, or, better yet, set up an SSH server in WSL and connect that way. docker context will likely be your friend. Such methods will be explored in a later article, but I encourage you, reader, to explore. A hint: ever tried scoop.sh? After setting it up, scoop install docker docker-compose will get you some familiar tools, then an SSH server such as Dropbear or OpenSSH on the WSL side...

A simplified method I recommend: a Powershell function that calls the WSL docker, passing along any arguments. This function can be placed in your Powershell profile, usually located at ~\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1



$DOCKER_DISTRO = "fedora"
function docker {
    wsl -d $DOCKER_DISTRO docker -H unix:///mnt/wsl/shared-docker/docker.sock @Args
}


Enter fullscreen mode Exit fullscreen mode

Again, try wsl -l -q to see a list of your WSL distributions if you are unsure which one to use.

Make sure the Docker daemon is running, then launch a new Powershell window, and try the hello-world container again. Success?

You could also make a batch file with the appropriate command in it. For instance, name it docker.bat and place in C:\Windows\system32 or other location included in %PATH%. The following contents will work in such a script:



@echo off
set DOCKER_DISTRO=fedora
wsl -d %DOCKER_DISTRO% docker -H unix:///mnt/wsl/shared-docker/docker.sock %*


Enter fullscreen mode Exit fullscreen mode

You could go a step further and ensure that dockerd is running whenever you start Powershell. Assuming that the dockerd start script detailed above is saved in a file in WSL as $HOME/bin/docker-service and is executable (try chmod a+x $HOME/bin/docker-service), then the following line in your Powershell profile will launch dockerd automatically:



wsl -d $distro ~/bin/docker-service


Enter fullscreen mode Exit fullscreen mode

Not sure where your Powershell profile is located? Try entering $profile in a powershell window.

If you don't want to rely on a particular WSL shell script, you could implement a Powershell function to launch dockerd, such as this:



function Docker-Service {
  Param ([string]$distro)
  $DOCKER_DIR = "/mnt/wsl/shared-docker"
  $DOCKER_SOCK = "$DOCKER_DIR/docker.sock"
  wsl -d "$distro" sh -c "[ -S '$DOCKER_SOCK' ]"
  if ($LASTEXITCODE) {
    wsl -d "$distro" sh -c "mkdir -pm o=,ug=rwx $DOCKER_DIR ; chgrp docker $DOCKER_DIR"
    wsl -d "$distro" sh -c "nohup sudo -b dockerd < /dev/null > $DOCKER_DIR/dockerd.log 2>&1"
  }
}


Enter fullscreen mode Exit fullscreen mode

This function takes one parameter: the distro name.

In all of the above, the principle is the same: you are launching Linux executables, using WSL interoperability.

A note on bind mounts: stay on the Linux filesystem

With docker, it is possible to mount a host system's directory or files in the container. The following often works, but is not advisable when launching WSL docker from Windows:



echo "<h1>Hello, World</h1>" > index.html
docker run -p "8080:80" -v "$PWD:/usr/share/nginx/html:ro" nginx


Enter fullscreen mode Exit fullscreen mode

Instead of doing the above haphazardly, when launching WSL docker from Powershell, two recommendations:

  1. For performance reasons, only bind mount from within the Linux filesystem. To get to a Linux directory while in Powershell, try something like cd (wsl wslpath -m ~/path/to/my/dir)
  2. Instead of $PWD to get the current directory, try '$(wslpath -a .)' and, yeah, the single quotes are helpful for escaping.

An example:



cd (wsl wslpath -m ~)
mkdir html
cd html
echo "<h1>Hello, World</h1>" > index.html
docker run -p "8080:80" -v '$(wslpath -a .):/usr/share/nginx/html:ro' nginx


Enter fullscreen mode Exit fullscreen mode

Then point your browser to http://localhost:8080, and happiness will result. (Depending on your network configuration, you may instead need to access this through http://[WSL IP Address]:8080 which should be obtainable with ifconfig or ip addr)

Try wsl wslpath from Powershell, or just wslpath from Linux, to see the options. This is a very useful tool, to say the least.

Example scripts

After walking through the steps in this article, you should now have a working and potentially auto-launched dockerd, shared Docker socket, and conveniently configured docker command.

Some of the code examples above have been placed in scripts in a companion Github repo. I summarize the files available here:

  • docker-service.sh is a Unix shell script to launch dockerd
  • docker-service.ps1 contains a Powershell function to launch dockerd in WSL
  • docker.bat is a Windows batch file for launching WSL docker from CMD
  • docker.ps1 contains a Powershell function for launching WSL docker from Powershell, if placed in your profile

No doubt there are ways these can be tweaked to be more useful and reliable; feel free to post in the comments.

Interested in further tinkering with WSL 2?

Other articles I have written on WSL:

Top comments (134)

Collapse
 
tempcke profile image
Todd Empcke

I'll never understand why developers who write code to run in linux fight with windows. Just run linux native. This isn't the 90's anymore, it is really super easy to run linux on your local dev machine and every program you would want for dev that is worth running already runs on linux.

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

Usually because I need

  • Proprietary software, not limited to MS Word and PowerPoint. I still need to work and discuss with non-dev people, you know.
  • Best possible hardware drivers by default
  • I love POSIX as well, but I don't have a choice. macOS is expensive to buy (yet mainstream), as well as forced obsolescence (via OS updates + requirement, and repair / replacement prevention); not to mention keyboard layout confusion (which is "cost to change").

But yes, I used WSL2 enough that moved to a second PC with native Linux.

Collapse
 
bowmanjd profile image
Jonathan Bowman

I am familiar with those circumstances.

For me, using WSL isn't a choice against Linux, but a choice to use Linux everywhere. A Linux dev machine is quite desirable. Even with that, I will still run WSL on any Windows machine I can. Because I do a lot from the command line, and I often want that command line to be Linux, no matter the location or network connectivity.

Collapse
 
arakwar profile image
Sebastien Lemieux

Corporate.

We tried. But I have other things to do than spend my time trying to argue with people that we should be allowed to get Linux machines on our corporate network.

The only option that we had is to run a corporate-managed VM on Azure, with their own "linux" which is a special build from oracle that I never heared of before they mentionned it, and where no open source tools seems to offer any kind of support.

WSL is the only option that I have. HyperV is not stable enough on Linux, and VirtualBox is blocked by corporate rules.

Collapse
 
bhayes profile image
b-hayes

Windows can do a lot of things linux cant and has a lot of cutting edge hardware support. Sometimes you need this simple as that.
However I agree developing linux apps with docker on windows can be a pain I'd recommend just installing linux on a dedicated machine for that purpose if you can.

Collapse
 
billybraga profile image
billybraga

Here are the problems I had on Ubuntu (note that I really wanted to work on linux since our servers run on linux) :

  • lack of proper bluetooth drivers (mSBC not supported, so headset sound was crap)
  • software support
    • Teams would not switch to headset mode automatically, nor detect when BT headset was connected after app was opened)
    • no edit and continue on .net core (and no, I won't change the language we write at work)
  • watching 4K videos on my 4K screen had tearing (and yes, watching videos on my break is a requirement)
  • regular system freeze
Collapse
 
sarvasana profile image
Kris Kater

^^ This.

Stop running Windows unless you really have to.

Collapse
 
sqlrob profile image
Robert Myers

I work on client/server software. The client is Windows; the server is not.

Collapse
 
chx profile image
Karoly Negyesi of House AstraZeneca

I will readily admit being a Linux newbie despite I installed Slackware with Linux 0.99pl15 for the first time from a stack of floppies early 1994. I am still running Linux on servers to this day. I ran Linux dual boot from 2000-2004 and then as a daily driver 2004-2017. It was a miserable experience. The choices are running Ubuntu where upgrading every six months shatters your OS so badly you can't work for days or Arch where upgrades often break one of your printer/scanner/Bluetooth. Connecting to any sort of enterprise-y VPN or WiFi just doesn't work. I don't care whether it's the fault of F5 or the community for not working -- if I can't VPN in, I can't work.

So the reason I use Windows is because that's where the driver support is. Plain and simple. And I use WSL2 because Linux excels at CLI and daemons.

Collapse
 
bodhione profile image
John Tal

Todd, many people are provisioned corporate laptops. In many regions also you cannot get a linux or Mac from the company, only Windows. WSL2 is, generally, better than the old cygwin many of us used decades ago. So no, it's not an automatic that developers get to use the best OS ever made.

Collapse
 
h8f1z profile image
Ahmed Hafiz

I have tried with multiple laptops (and multiple distros) and even with so many customisations, laptops keep heating up on idle.
Not so ideal for development with that heat on my hand . I do wish it'd change some day. Been waiting for years now.

Collapse
 
bhayes profile image
b-hayes • Edited

That sounds odd. Ive been running WSL on potato laptops and now I high end one with no heat issues at all.

Collapse
 
marzelin profile image
Marc Ziel

Fight? There's no fight between Windows and Linux since wsl2. It's a peaceful symbiosis.

Collapse
 
bodhione profile image
John Tal

somewhat peaceful, but following DOCKER0 from WSL2 out to the host network has issues in some configurations with Docker Desktop where installing docker directly into WSL works.

Collapse
 
dhirschfeld profile image
Dave Hirschfeld • Edited

Brilliant article - thanks for the thorough write up @bowmanjd!

I'm curious why you'd use a custom script to start dockerd rather than just using service docker start?

Is it just to control the shared docker socket location, or are there other reasons?

(I'm running Ubuntu-22.04)

xref: docs.microsoft.com/en-us/windows/w...

Collapse
 
bowmanjd profile image
Jonathan Bowman

Great point. If using only one distro, and that distro is Ubuntu, service docker start should work well. It could be embedded in a script, I suppose, and launched from other distros or Powershell. But I wanted something truly distro-agnostic.

Collapse
 
anpol profile image
Andrei Polushin

Also note that a boot command in /etc/wsl.conf is only available on Windows 11.

Collapse
 
russdan profile image
russdan

Hi Jonathan, great article, thank you!

A couple of updates when running in Windows 11H2 (and Ubuntu 22.04 in my case):

1) systemd is now native in Windows 11H2, BUT needs an updated WSL2 install (I was using WSL v0.63 and I believe native systemd support is in v0.68 onwards) - otherwise you get

System has not been booted with systemd as init system (PID 1). Can't operate
Enter fullscreen mode Exit fullscreen mode

Upgrading WSL to latest version means that updating /etc/wsl.conf with

[boot]
systemd=true
Enter fullscreen mode Exit fullscreen mode

then works as desired...

2) We also need containerd installed - I used the manual steps from here and that worked for me howtoforge.com/how-to-install-cont...

Those two steps joined the dots and now docker is running without docker desktop :)

Russ

Collapse
 
bowmanjd profile image
Jonathan Bowman • Edited

What!??? When did this happen? No one tells me these things. Except for you, of course, for which I am extremely grateful. Well, this is a game changer. I will work on updating the instructions for systemd, then!

Weird -- containerd is already installed on mine; I can update the instructions accordingly. Thank you so much!

Collapse
 
jsiegmund profile image
Jasper Siegmund

I'm running things with systemd now, I'm just struggling on how to launch that script which ensures the docker.sock is created before launching the actual docker service. So if you could include that in a rewrite that would be nice :)

Collapse
 
relin404 profile image
Ahmad Mash'aal • Edited

I have been pulling my hair for 8 days trying to run Docker on WSL2 without too many problems arising from nowhere with limited Linux experience. This article really helped me pull through it all. Kudos to you, Jonathan! Great detailed and crystal-clear article!

Collapse
 
bowmanjd profile image
Jonathan Bowman

So glad you found it helpful!

Collapse
 
thw0rted profile image
James Bromwell

It might be worth mentioning that as of a few months ago, the default WSL2 install (Ubuntu) can be configured to support systemd with a two-line config file. I only just finished the install so I can't confirm that everything works 100% out of the box, but after rebooting the VM, dockerd was running as expected.

Collapse
 
ackalker profile image
Alain Kalker • Edited

According to this article from Microsoft, systemd is now enabled by default for the default Ubuntu WSL distribution installed with WSL and installable from the Microsoft Store.
Installing the distribution-maintained version of Docker is now as simple as:

sudo apt update
sudo apt upgrade
sudo apt install docker.io
# Optionally, add your username to the docker group
sudo gpasswd -a <yourusername> docker
Enter fullscreen mode Exit fullscreen mode

Close the Ubuntu Terminal and re-open it (to make the group add take effect) and test that it works:

docker run --rm hello-world
Enter fullscreen mode Exit fullscreen mode

and Bob's your uncle. All done in less than a minute's work.

Collapse
 
bowmanjd profile image
Jonathan Bowman

Beautiful!

Collapse
 
piotrrojek profile image
piotr-rojek

Hey, great stuff! It is actually possible to expose docker.sock from WSL so that it is accessible by Windows applications. In fact this is what Docker Desktop is doing, allowing all Windows native applications to use npipe docker context. It requires a small proxy application to make it work though. To make it easy to use I have packaged it into a container, so it is easy to deploy with a single docker run.

Read more about this here

Collapse
 
kushakjafry profile image
Kushak Zohaad Jafry

Hi, followed everything but on doing sudo dockered getting this error.

WARN[2021-10-24T16:24:00.993150800+05:30] grpc: addrConn.createTransport failed to connect to {unix:///var/run/docker/containerd/containerd.sock 0 }. Err :connection error: desc = "transport: Error while dialing dial unix:///var/run/docker/containerd/containerd.sock: timeout". Reconnecting... module=grpc
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgrade

Collapse
 
badsamaritan profile image
Michał Drzymała

What helped me in similar situation:

  • Add iptables false (as mentioned in the article),
  • Restart WSL engine (restart Lxssmanager service on Windows host),
  • Run WSL prompt as Admin (elevated) and there only run dockerd
Collapse
 
ajburley profile image
ajburley

I got this so I just added "iptables": false to my daemon.json and this error was averted. In the original post it says you only need to do this for Debian but not Ubuntu, and I'm using Ubuntu so I skipped that step originally. But in the end, turned out it was required.

Collapse
 
kushakjafry profile image
Kushak Zohaad Jafry • Edited

I did that but it did not work for me. Now I have started using docker desktop again.

Collapse
 
alexlefranc profile image
Alexandre LEFRANC

Hi,
Thanks for this post, very useful previously. For information, we can now install Podman desktop (and podman with MSI file), experimental but interressing.

Collapse
 
bowmanjd profile image
Jonathan Bowman

I will definitely try that, and update the article. Thank you!

Collapse
 
nooz profile image
Michael Zheng

For some reason I can't get internet connection inside the container.

Collapse
 
salvatorepiccione profile image
Salvatore Piccione

Hi, I have exactly the same issue... @bowmanjd can you share any hint about how to get Internet connection working on docker containers running on WSL2?

Collapse
 
bowmanjd profile image
Jonathan Bowman

Interesting... What sort of errors are you seeing? Is it all internet connectivity, or just DNS?

Thread Thread
 
salvatorepiccione profile image
Salvatore Piccione

It is all internet connectivity: I cannot ping 1.1.1.1 but I can ping the docker host from a container.

Collapse
 
salvatorepiccione profile image
Salvatore Piccione

BTW I solved this issue switching from Debian to Ubuntu as WSL2 distro.

Thread Thread
 
timblaktu profile image
Tim Black

I'm having same issue, using Debian 11 on WSL2. With a Dockerfile containing only:

FROM centos:7
RUN yum -y install httpd

I was getting yum errors not resolving the name of the mirror server:

Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"

Since I could resolve the name of the server from Debian WSL2 with no issue, I knew my DNS was working there. So I added some sleuthing to the Dockerfile:

FROM centos:7 RUN cat /etc/resolv.conf && ping -v -c2 host.docker.internal && ping -v -c2 1.1.1.1 && ping -v google.com && ping -v mirrorlist.centos.org RUN echo "timeout=30" >> /etc/yum.conf && cat /etc/yum.conf && yum -y install httpd

and run docker build with --add-host=host.docker.internal:host-gateway, I can see that I can ping the host from the container, but the container cannot seem to ping any external ip, even the cloudflare dns 1.1.1.1 or google's 8.8.8.8.

I've played around with setting DNS in the container explicitly using the /etc/docker/daemon.json with things like "dns": ["1.1.1.1", "8.8.8.8"], but if the container can't even get connectivity to these ips that's not going to work..

My Debian environment does not have any iptables configured. I'm flummoxed.

Thread Thread
 
timblaktu profile image
Tim Black • Edited

I found my debian environment is configured to use iptables-nft:

$> sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode
Enter fullscreen mode Exit fullscreen mode

But I was getting no rules generated by iptables-nft-save, and several rules generated by iptables-legacy-save, so I explicitly update-alternatives to iptables-legacy and rebooted (host and wsl2/debian). (Will report back with results..)

Thread Thread
 
timblaktu profile image
Tim Black • Edited

Still same error after switching explicitly to iptables-legacy in debian 11. FWIW, I'm also passing the following dns servers to my containers via docker daemon.json:

# This one is the WSL net interface as seen by windows. It cannot be pinged from container.
nameserver 172.29.224.1
nameserver 1.1.1.1
nameserver 8.8.8.8
Enter fullscreen mode Exit fullscreen mode

I've tried putting the google and cloudflare dns first in this order, to no avail.

Thread Thread
 
timblaktu profile image
Tim Black

The issue is more easily reproduced on my system by just running ping commands inside the latest alpine image:

$> home/tim/src > docker run --rm -it alpine ping -c4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
Enter fullscreen mode Exit fullscreen mode
Thread Thread
 
timblaktu profile image
Tim Black

The problem was that even though I had reverted to iptables-legacy in Debian, I still had iptables: "false" in my docker daemon.json. On removing that, docker can use its default iptables impl and work with Debian Bullseye. Now, my containers can access "the internet".

I realize that your post indicated to use iptables: false as a way to get debian wsl2 instances to work with docker. But that never worked for me for some reason.

Thread Thread
 
bowmanjd profile image
Jonathan Bowman

Yeah, I have actually changed the instructions, removing the iptables:false, as using iptables-legacy seems like the right way to do it.

Thread Thread
 
philippthiele profile image
philippthiele • Edited

I had the same issue with Ubuntu in WSL2. Removing iptables: "false" from the daemon.json and switching to iptables-legacy did the trick. No full reboot was necessary, running "wsl --shutdown" in powershell + reopening the ubuntu shell did the trick. Thanks!