Default the tcp port to 2376 if tls is on, and 2375 if not

Refactor so that the Host flag validation doesn't destroy the user's input,
and then post process the flags when we know the TLS options

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>

api/client/cli.go

@@ -106,13 +106,6 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, clientFlags *cli.ClientF
 		switch len(hosts) {
 		case 0:
 			defaultHost := os.Getenv("DOCKER_HOST")
-			if defaultHost == "" {
-				defaultHost = opts.DefaultHost
-			}
-			defaultHost, err := opts.ValidateHost(defaultHost)
-			if err != nil {
-				return err
-			}
 			hosts = []string{defaultHost}
 		case 1:
 			// only accept one host to talk to
@@ -120,6 +113,15 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, clientFlags *cli.ClientF
 			return errors.New("Please specify only one -H")
 		}
 
+		defaultHost := opts.DefaultTCPHost
+		if clientFlags.Common.TLSOptions != nil {
+			defaultHost = opts.DefaultTLSHost
+		}
+		var e error
+		if hosts[0], e = opts.ParseHost(defaultHost, hosts[0]); e != nil {
+			return e
+		}
+
 		protoAddrParts := strings.SplitN(hosts[0], "://", 2)
 		cli.proto, cli.addr = protoAddrParts[0], protoAddrParts[1]
 

docker/daemon.go

@@ -169,9 +169,6 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
 	daemonFlags.ParseFlags(args, true)
 	commonFlags.PostParse()
 
-	if len(commonFlags.Hosts) == 0 {
-		commonFlags.Hosts = []string{opts.DefaultHost}
-	}
 	if commonFlags.TrustKey == "" {
 		commonFlags.TrustKey = filepath.Join(getDaemonConfDir(), defaultTrustKeyFile)
 	}
@@ -212,6 +209,7 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
 	}
 	serverConfig = setPlatformServerConfig(serverConfig, cli.Config)
 
+	defaultHost := opts.DefaultHost
 	if commonFlags.TLSOptions != nil {
 		if !commonFlags.TLSOptions.InsecureSkipVerify {
 			// server requires and verifies client's certificate
@@ -222,6 +220,14 @@ func (cli *DaemonCli) CmdDaemon(args ...string) error {
 			logrus.Fatal(err)
 		}
 		serverConfig.TLSConfig = tlsConfig
+		defaultHost = opts.DefaultTLSHost
+	}
+
+	for i := 0; i < len(commonFlags.Hosts); i++ {
+		var err error
+		if commonFlags.Hosts[i], err = opts.ParseHost(defaultHost, commonFlags.Hosts[i]); err != nil {
+			logrus.Fatalf("error parsing -H %s : %v", commonFlags.Hosts[i], err)
+		}
 	}
 	for _, protoAddr := range commonFlags.Hosts {
 		protoAddrParts := strings.SplitN(protoAddr, "://", 2)

docs/articles/basics.md

@@ -82,13 +82,17 @@ then it is trivial for someone to gain root access to the host where the
 daemon is running.
 
 Similarly, the Docker client can use `-H` to connect to a custom port.
+The Docker client will default to connecting to `unix:///var/run/docker.sock`
+on Linux, and `tcp://127.0.0.1:2376` on Windows.
 
 `-H` accepts host and port assignment in the following format:
 
-    tcp://[host][:port][path] or unix://path
+    tcp://[host]:[port][path] or unix://path
 
 For example:
 
+-   `tcp://` -> TCP connection to `127.0.0.1` on either port `2376` when TLS encryption
+    is on, or port `2375` when communication is in plain text.
 -   `tcp://host:2375` -> TCP connection on
     host:2375
 -   `tcp://host:2375/path` -> TCP connection on
@@ -101,7 +105,7 @@ when no `-H` was passed in.
 
 `-H` also accepts short form for TCP bindings:
 
-    host[:port] or :port
+    `host:` or `host:port` or `:port`
 
 Run Docker in daemon mode:
 

docs/installation/ubuntulinux.md

@@ -265,9 +265,11 @@ Docker uses a bridge to manage container networking. By default, UFW drops all
 forwarding traffic. As a result, for Docker to run when UFW is
 enabled, you must set UFW's forwarding policy appropriately.
 
-Also, UFW's default set of rules denies all incoming traffic. If you want to be able
-to reach your containers from another host then you should also allow incoming
-connections on the Docker port (default `2375`).
+Also, UFW's default set of rules denies all incoming traffic. If you want to
+reach your containers from another host allow incoming connections on the Docker
+port. The Docker port defaults to `2376` if TLS is enabled or `2375` when it is
+not. If TLS is not enabled, communication is unencrypted. By default, Docker
+runs without TLS enabled.
 
 To configure UFW and allow incoming connections on the Docker port:
 

docs/reference/commandline/cli.md

@@ -18,7 +18,7 @@ or execute `docker help`:
              docker daemon [ --help | ... ]
              docker [ --help | -v | --version ]
 
-        -H, --host=[]: The socket(s) to bind to in daemon mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
+        -H, --host=[]: The socket(s) to talk to the Docker daemon in the format of tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
 
       A self-sufficient runtime for Linux containers.
 

man/docker.1.md

@@ -36,10 +36,12 @@ To see the man page for a command run **man docker <command>**.
 **-D**, **--debug**=*true*|*false*
   Enable debug mode. Default is false.
 
-**-H**, **--host**=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
+**-H**, **--host**=[unix:///var/run/docker.sock]: tcp://[host]:[port][path] to bind or
 unix://[/path/to/socket] to use.
   The socket(s) to bind to in daemon mode specified using one or more
-  tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
+  tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
+  If the tcp port is not specified, then it will default to either `2375` when
+  `--tls` is off, or `2376` when `--tls` is on, or `--tlsverify` is specified.
 
 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*""
   Set the logging level. Default is `info`.

opts/opts.go

@@ -17,16 +17,23 @@ var (
 	domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
 	// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. docker daemon -H tcp://:8080
 	DefaultHTTPHost = "127.0.0.1"
+
 	// DefaultHTTPPort Default HTTP Port used if only the protocol is provided to -H flag e.g. docker daemon -H tcp://
 	// TODO Windows. DefaultHTTPPort is only used on Windows if a -H parameter
 	// is not supplied. A better longer term solution would be to use a named
 	// pipe as the default on the Windows daemon.
+	// These are the IANA registered port numbers for use with Docker
+	// see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=docker
 	DefaultHTTPPort = 2375 // Default HTTP Port
+	// DefaultTLSHTTPPort Default HTTP Port used when TLS enabled
+	DefaultTLSHTTPPort = 2376 // Default TLS encrypted HTTP Port
 	// DefaultUnixSocket Path for the unix socket.
 	// Docker daemon by default always listens on the default unix socket
 	DefaultUnixSocket = "/var/run/docker.sock"
 	// DefaultTCPHost constant defines the default host string used by docker on Windows
 	DefaultTCPHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultHTTPPort)
+	// DefaultTLSHost constant defines the default host string used by docker for TLS sockets
+	DefaultTLSHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultTLSHTTPPort)
 )
 
 // ListOpts holds a list of values and a validation function.
@@ -335,6 +342,17 @@ func ValidateLabel(val string) (string, error) {
 
 // ValidateHost validates that the specified string is a valid host and returns it.
 func ValidateHost(val string) (string, error) {
+	_, err := parsers.ParseDockerDaemonHost(DefaultTCPHost, DefaultUnixSocket, val)
+	if err != nil {
+		return val, err
+	}
+	// Note: unlike most flag validators, we don't return the mutated value here
+	//       we need to know what the user entered later (using ParseHost) to adjust for tls
+	return val, nil
+}
+
+// ParseHost and set defaults for a Daemon host string
+func ParseHost(defaultHTTPHost, val string) (string, error) {
 	host, err := parsers.ParseDockerDaemonHost(DefaultTCPHost, DefaultUnixSocket, val)
 	if err != nil {
 		return val, err

opts/opts_test.go

@@ -3,6 +3,7 @@ package opts
 import (
 	"fmt"
 	"os"
+	"runtime"
 	"strings"
 	"testing"
 )
@@ -423,7 +424,7 @@ func TestValidateLabel(t *testing.T) {
 	}
 }
 
-func TestValidateHost(t *testing.T) {
+func TestParseHost(t *testing.T) {
 	invalid := map[string]string{
 		"anything":              "Invalid bind address format: anything",
 		"something with spaces": "Invalid bind address format: something with spaces",
@@ -433,7 +434,14 @@ func TestValidateHost(t *testing.T) {
 		"tcp://invalid":      "Invalid bind address format: invalid",
 		"tcp://invalid:port": "Invalid bind address format: invalid:port",
 	}
+	const defaultHTTPHost = "tcp://127.0.0.1:2375"
+	var defaultHOST = "unix:///var/run/docker.sock"
+
+	if runtime.GOOS == "windows" {
+		defaultHOST = defaultHTTPHost
+	}
 	valid := map[string]string{
+		"":                         defaultHOST,
 		"fd://":                    "fd://",
 		"fd://something":           "fd://something",
 		"tcp://host:":              "tcp://host:2375",
@@ -450,12 +458,12 @@ func TestValidateHost(t *testing.T) {
 	}
 
 	for value, errorMessage := range invalid {
-		if _, err := ValidateHost(value); err == nil || err.Error() != errorMessage {
+		if _, err := ParseHost(defaultHTTPHost, value); err == nil || err.Error() != errorMessage {
 			t.Fatalf("Expected an error for %v with [%v], got [%v]", value, errorMessage, err)
 		}
 	}
 	for value, expected := range valid {
-		if actual, err := ValidateHost(value); err != nil || actual != expected {
+		if actual, err := ParseHost(defaultHTTPHost, value); err != nil || actual != expected {
 			t.Fatalf("Expected for %v [%v], got [%v, %v]", value, expected, actual, err)
 		}
 	}