Docker Tips : access the Docker daemon via ssh
Docker 18.09 offers the possibility for a Docker client to communicate with a remote daemon via ssh. Here’s how:
Client / Server communications
The Docker client communicates usually with the daemon either locally, via the unix socket /var/run/docker.sock, or over a network via a tcp socket. Below is a typical example of options provided to the Docker daemon at startup.
There are 2 important flags related to the client / server communication here:
- -H unix://, refers to the local unix socket /var/run/docker.sock. Locally, the Docker client uses this socket to communicate with the daemon
- -H tcp://0.0.0.0:2376 makes the daemon available via any network interface on port 2376. This port needs to be opened in the security groups (and restricted to a white list of IP addresses if possible) so a remote client can access the daemon.
As ssh is widely used and is often one of the protocols allowed by default, it could be convenient to access the Docker daemon directly via ssh. Docker 18.09 makes it possible ! Let’s test it.
Creation of a VM
We will start by creating a new Docker Host and make sure it runs the latest Docker version. We use Vagrant, a great tool from Hashicorp, to provision and configure a local virtual machine on VirtualBox. In a new folder, we run the following command :
|$ vagrant init ubuntu/bionic64|
This generates a file called Vagrantfile which defines how the virtual machine should be setup. We modify it a little bit so it looks like the following :
Basically, we tell Vagrant to :
- create a VM based on Ubuntu Bionic64
- use a bridge network so the VM is accessible from the host
- install the latest test build of Docker
- add the default vagrant user to the docker group (no more sudo on each command)
We can then create the VM with the following command :
|$ vagrant up|
Once the VM is up, we connect via ssh and check the network interface to get its IP address on the LAN, 192.168.5.178, in this example.
Access to the daemon over ssh
An additional folder .vagrant was created during the setup of the VM. This one contains the VM metadata and the private key which allows the default vagrant user a passwordless ssh connection. We add this key to the authentication agent with the following command (so we do not have to specify its path each time we use it) :
|$ ssh-add -k .vagrant/machines/default/virtualbox/private_key
Identity added: .vagrant/machines/default/virtualbox/private_key (.vagrant/machines/default/virtualbox/private_key)
We can now issue Docker commands via ssh using the -H flag followed by the ssh connection string.
|$ docker -H ssh://firstname.lastname@example.org run -ti alpine echo “hello”
Unable to find image ‘alpine:latest’ locally
latest: Pulling from library/alpine
4fe2ade4980c: Pull complete
Status: Downloaded newer image for alpine:latest
Of course, in order to avoid using this flag for each command, the DOCKER_HOST environment variable can be used instead.
Note : alpine is the only image available on the host, it was downloaded when we run the container.
This blog originated from https://medium.com/lucjuggery/docker-tips-access-the-docker-daemon-via-ssh-97cd6b44a53