New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to remotely control a docker host without Docker-Machine #19

Open
CarlosEspejo opened this Issue Apr 2, 2018 · 4 comments

Comments

3 participants
@CarlosEspejo
Copy link

CarlosEspejo commented Apr 2, 2018

Docker-Machine allows you to spin up a docker host in the cloud but my laptop was the only thing that could control the remote docker host and it wasn’t clear to me what I needed to do to give another machine the ability to do the same.

When you manually roll your own docker host using this guide https://docs.docker.com/install/linux/docker-ce/ubuntu/
what are the steps required to setup remote access, similar to Docker-Machine?

Any tips for making this approach safe for production use?

@BretFisher

This comment has been minimized.

Copy link
Owner

BretFisher commented Apr 2, 2018

docker-machine is only designed to be used locally by one person and doesn't scale to teams.

What you're really asking about is "how does a team securely use the docker CLI remotely against docker engines on servers?"

dockerd (Docker Engine) that runs containers on servers doesn't have remote connectivity enabled by default. It uses a TCP port that you need to enable, but to do it securely, you need to setup TLS, and ideally, RBAC for a team to have various read/write permissions.

Docker Docs has info on how to create mutual-TLS certs (similar to docker-machine) for connecting remotely. It's a labor-intensive process, and still means you'd need to past that client cert around the team or create multiple certs.

The Docker Cloud "Bring Your Own Swarm" feature is great for secure team remote connectivity. It puts agents on the Swarm managers and then your local machine, and it manages TLS certs for you and downloads them to your local machine in a container when you need to connect. It works for teams too, because in the Cloud GUI you can create groups and assign Swarms and other Docker ID's to a group to give/remove remote CLI permissions. It doesn't do RBAC. It also may be going away when they shutdown Docker Cloud in May 2018, but I hope it lives on in some form

Docker EE has the most features for this, providing RBAC (read-only users, etc.), LDAP integration, and much more.

There are other options as well, some use the authz plug-in model for docker.

@BretFisher

This comment has been minimized.

Copy link
Owner

BretFisher commented Dec 14, 2018

Docker's 18.09 release got a great new feature that lets you use your local docker cli with a remote server through a SSH tunnel, so you no longer need to setup TCP/TLS just for remote cli.

Just change your DOCKER_HOST envvar and as long as you have ssh keys setup and ssh access to the server, your local CLI will now talk to the remote:

export DOCKER_HOST=ssh://user@server
docker version
# you'll see the versions for you local cli and the remote server

From there any docker command, including builds and swarm, will work!

@Biker93

This comment has been minimized.

Copy link

Biker93 commented Dec 29, 2018

I find that on my Mac, I must export the variable for it to become an ENVIRONMENT variable as opposed to just a shell variable:

export DOCKER_HOST=ssh://user@server
docker version

@BretFisher

This comment has been minimized.

Copy link
Owner

BretFisher commented Dec 31, 2018

Sorry yes it should be export not set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment