CLI fails to connect to docker-dind using TLS after v1.70.2 #3862
Description
Describe the bug
I was quite out-of-date on my supabase/cli version recently and upgraded it in my CI pipeline (from 1.36.5 to 2.23.4), which caused a new error:
$ supabase db start --debug
Using workdir /builds/some/path
Supabase CLI 2.23.4
failed to inspect service: Error response from daemon: Client sent an HTTP request to an HTTPS server.
In general, I'm trying to follow gitlab's instructions for running docker-in-docker (https://docs.gitlab.com/ci/docker/using_docker_build/#use-the-docker-executor-with-docker-in-docker) so that the supabase CLI can spawn containers and run tests. GitLab's instructions generally follow those provided by docker on this page: https://hub.docker.com/_/docker
To Reproduce
Steps to reproduce the behavior:
In one terminal, create a bridge docker network and start docker-in-docker:
docker network create supabase-test
docker run --rm -it --privileged --network supabase-test --network-alias docker \
-e DOCKER_TLS_CERTDIR=/certs -v /tmp/docker-certs-client:/certs/client \
--name docker docker:20.10.23-dind
In a separate terminal, set up a fresh project, start a container with the fresh project mounted into it, install supabase/cli in the container, and try to start a supabase db:
# Set up blank supabase project (I'm using a locally installed supabase/cli version 2.23.4)
mkdir /tmp/supabase-test
cd /tmp/supabase-test
supabase init
# Start a container with docker tools available
docker run -it --rm --net supabase-test \
-e DOCKER_TLS_CERTDIR=/certs -v /tmp/docker-certs-client:/certs/client:ro \
-v $(pwd):/supabase-test -w /supabase-test docker:20.10.23 sh
#==== All following commands are run inside the container ====#
# Running docker ps shows that it connects to the docker daemon without error
docker ps
# Download supabase/cli version 1.36.5
#
# NOTE: Downloading and installing from apk instead of tar.gz
# doesn't seem to change any of the following behavior
wget -q https://github.com/supabase/cli/releases/download/v1.36.5/supabase_linux_amd64.tar.gz -O - | tar -xz -C /usr/local/bin
# Start supabase db successfully
supabase db start
# Download supabase/cli version 2.23.4
wget -q https://github.com/supabase/cli/releases/download/v2.23.4/supabase_linux_amd64.tar.gz -O - | tar -xz -C /usr/local/bin
# Starting supabase db errors
supabase db start
# failed to inspect service: Error response from daemon: Client sent an HTTP request to an HTTPS server.
I narrowed it down further: running supabase db start works with supabase/cli version 1.70.2 and fails with version 1.70.3. The most relevant commit in 1.70.3 (https://github.com/supabase/cli/releases/tag/v1.70.3) seems to be 8aeacce.
Setting other envvars, such as DOCKER_TLS_VERIFY=1 or DOCKER_HOST=tcp://docker:2376 seem to have no effect on how supabase/cli behaves.
Expected behavior
I expect supabase/cli to obey the DOCKER_TLS_CERTDIR envvar and connect to the docker daemon with TLS.
System information
Rerun the failing command with --create-ticket flag.
- Version of OS: Ubuntu 22.04.5 LTS
- Version of CLI: 2.23.4
- Version of Docker: 28.2.2
Additional context
I think a few other folks have run into this issue and didn't get any followup or solution:
- https://discord.com/channels/839993398554656828/1324502650670284812/1324502650670284812
- https://discord.com/channels/839993398554656828/1336276168634007612/1336276168634007612
Please let me know if I've missed some convention or config change in the last couple years for how to get docker and/or the supabase/cli working in this sort of situation!