✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.1.1.5 Daemon API Handling

A focused guide to Daemon API Handling, connecting core concepts with practical Docker and container operations.

Daemon API handling describes how the Docker daemon exposes its functionality through a documented REST API, which every client — including the official CLI — uses to issue requests, meaning anything the daemon can do is accessible to any tool capable of making HTTP requests to it.

The API as the Real Interface to Docker

The docker CLI is a convenience layer; underneath every command it runs, it makes an HTTP request to the daemon's API and interprets the response. The API itself defines the actual capabilities of the daemon.

curl --unix-socket /var/run/docker.sock http://localhost/version

This retrieves the same version information docker version would display, by talking directly to the API rather than through the CLI.

Listening on a Socket or a Network Port

By default, the daemon listens on a local Unix socket, which only processes on the same machine can access. It can also be configured to listen on a TCP port, allowing remote clients to connect, though this requires careful attention to authentication and encryption since the API grants extensive control over the host.

dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376 --tlsverify

Enabling TLS verification when exposing the API over the network is important, since unauthenticated access to the API is equivalent to unrestricted control over every container on the host.

Versioned API Endpoints

The API is versioned, so clients and the daemon can be at slightly different versions while remaining compatible, with the daemon supporting a range of API versions rather than requiring an exact match.

curl --unix-socket /var/run/docker.sock http://localhost/v1.43/containers/json
Building Tools Directly on the API

Because the API is fully documented and stable, tools other than the official CLI — monitoring agents, custom dashboards, CI integrations — can interact with Docker directly, without needing to shell out to the CLI or parse its text output.

import requests
response = requests.get("http+unix://%2Fvar%2Frun%2Fdocker.sock/containers/json")
Why Understanding API Handling Matters

Recognizing that the CLI is just one possible client of a general-purpose API clarifies both how third-party Docker tooling works, and why securing access to the API itself — not just the CLI — is the actual security boundary that matters when controlling who can manage containers on a host.

Related content