How does Docker use ports 2375 and 4243?

Question

I see various instances of ports 2375 and 4243 being used for seemingly the same thing while searching the internet. Also, my local machine requires I use 2375 to connect whereas when I push it to our CI server it requires it be set to 4243.

What does Docker use these ports for and how do they differ?

Answer 1

The docker socket can be configured on any port with the dockerd -H option. Common docker ports that I see include:

• 2375: unencrypted docker socket, remote root passwordless access to the host
• 2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port
• 2377: swarm mode socket, for swarm managers, not for docker clients
• 5000: docker registry service
• 4789 and 7946: overlay networking

Only the first two are set with dockerd -H, swarm mode can be configured as part of docker swarm init --listen-addr or docker swarm join --listen-addr.

I strongly recommend disabling the 2375 port and securing your docker socket. It's trivial to remotely exploit this port to gain full root access without a password from remote. The command to do so is as simple as:

docker -H $your_ip:2375 run -it --rm \
  --privileged -v /:/rootfs --net host --pid host busybox

That can be run on any machine with a docker client to give someone a root shell on your host with the full filesystem available under /rootfs, your network visible under ip a, and every process visible under ps -ef.

To setup TLS security on the docker socket, see these instructions. https://docs.docker.com/engine/security/https/