Docker Tips: Access the Docker Daemon via SSH

Sl 09:28 0:01 /usr/local/bin/dockerd -g /var/lib/docker -H unix:// -H tcp://0.



0:2376 –label provider=virtualbox –tlsverify –tlscacert=/var/lib/boot2docker/ca.



pem–storage-driver aufsThere are two important flags related to client/server communication here:-H unix://, refers to the local unix socket /var/run/docker.


Locally, the Docker client uses this socket to communicate with the daemon.

-H tcp://0.



0:2376 makes the daemon available via any network interface on port 2376.

This port needs to be opened in the security groups (and restricted to a white list of IP addresses, if possible), so a remote client can access the daemon.

As SSH is widely used, and is often one of the protocols allowed by default, it could be convenient to access the Docker daemon directly via SSH.

Docker 18.

09 makes this possible — let’s test it.

Creation of a VMWe will start by creating a new Docker Host and make sure it runs the latest Docker version.

We use Vagrant, a great tool from Hashicorp, to provision and configure a local virtual machine on VirtualBox.

In a new folder, we run the following command:$ vagrant init ubuntu/bionic64This generates a file called “Vagrantfile” which defines how the virtual machine should be setup.

We modify it a little bit so it looks like:# -*- mode: ruby -*-# vi: set ft=ruby :Vagrant.

configure(“2”) do |config| config.


box = “ubuntu/bionic64” # Bridge network configuration config.


network “public_network” config.


provision “shell”, inline: <<-SHELL # Install last version of Docker curl -fsSL https://test.


com -o test-docker.

sh sh test-docker.

sh # helper script installs the beta package # Add default user in docker group usermod -aG docker vagrant SHELLendBasically, we tell Vagrant to:Create a VM based on Ubuntu Bionic64.

Use a bridge network so the VM is accessible from the host.

Install the latest test build of Docker.

Add the default vagrant user to the docker group (no more sudo on each command)We can then create the VM with the following command:$ vagrant upOnce the VM is up, we connect via SSH and check the network interface to get its IP address on the LAN (192.



178, in this example).

$ vagrant sshvagrant@ubuntu-bionic:~$ ip a.

3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:75:93:48 brd ff:ff:ff:ff:ff:ff inet 192.



178/24 brd 192.



255 scope global dynamic enp0s8 valid_lft 4242sec preferred_lft 4242sec inet6 fe80::a00:27ff:fe75:9348/64 scope link valid_lft forever preferred_lft foreverAccess to the daemon over SSHAn additional folder .

vagrant was created during the setup of the VM.

This one contains the VM metadata and the private key, which allows the default Vagrant user a passwordless SSH connection.

We add this key to the authentication agent with the following command (so we do’nt have to specify its path each time we use it):$ ssh-add -k .

vagrant/machines/default/virtualbox/private_keyIdentity added: .

vagrant/machines/default/virtualbox/private_key (.

vagrant/machines/default/virtualbox/private_key)We can now issue Docker commands via SSH using the -H flag followed by the SSH connection string.

$ docker -H ssh://vagrant@192.



178 run -ti alpine echo “hello”Unable to find image ‘alpine:latest’ locallylatest: Pulling from library/alpine4fe2ade4980c: Pull completeDigest: sha256:621c2f39f8133a3a94dbdf0d5ca81102b9e57c0dc184cadaf5528Status: Downloaded newer image for alpine:latesthelloOf course, in order to avoid using this flag for each command, the DOCKER_HOST environment variable can be used instead.

$ export DOCKER_HOST=ssh://vagrant@192.



178$ docker image lsREPOSITORY TAG IMAGE ID CREATED SIZEalpine latest 196d12cf6ab1 4 weeks ago 4.

41MBNote: “alpine” is the only image available on the host, it was downloaded when we ran the container.


. More details

Leave a Reply