How to remotely control a docker host without Docker-Machine #19
Docker-Machine allows you to spin up a docker host in the cloud but my laptop was the only thing that could control the remote docker host and it wasn’t clear to me what I needed to do to give another machine the ability to do the same.
When you manually roll your own docker host using this guide https://docs.docker.com/install/linux/docker-ce/ubuntu/
Any tips for making this approach safe for production use?
The text was updated successfully, but these errors were encountered:
docker-machine is only designed to be used locally by one person and doesn't scale to teams.
What you're really asking about is "how does a team securely use the docker CLI remotely against docker engines on servers?"
Docker Docs has info on how to create mutual-TLS certs (similar to docker-machine) for connecting remotely. It's a labor-intensive process, and still means you'd need to past that client cert around the team or create multiple certs.
The Docker Cloud "Bring Your Own Swarm" feature is great for secure team remote connectivity. It puts agents on the Swarm managers and then your local machine, and it manages TLS certs for you and downloads them to your local machine in a container when you need to connect. It works for teams too, because in the Cloud GUI you can create groups and assign Swarms and other Docker ID's to a group to give/remove remote CLI permissions. It doesn't do RBAC. It also may be going away when they shutdown Docker Cloud in May 2018, but I hope it lives on in some form
Docker EE has the most features for this, providing RBAC (read-only users, etc.), LDAP integration, and much more.
There are other options as well, some use the authz plug-in model for docker.
Docker's 18.09 release got a great new feature that lets you use your local docker cli with a remote server through a SSH tunnel, so you no longer need to setup TCP/TLS just for remote cli.
Just change your
export DOCKER_HOST=ssh://user@server docker version # you'll see the versions for you local cli and the remote server
From there any docker command, including builds and swarm, will work!