How to remotely control a docker host without Docker-Machine

[CarlosEspejo]

Docker-Machine allows you to spin up a docker host in the cloud but my laptop was the only thing that could control the remote docker host and it wasn’t clear to me what I needed to do to give another machine the ability to do the same.

When you manually roll your own docker host using this guide https://docs.docker.com/install/linux/docker-ce/ubuntu/
what are the steps required to setup remote access, similar to Docker-Machine?

Any tips for making this approach safe for production use?

[BretFisher]

docker-machine is only designed to be used locally by one person and doesn't scale to teams.

What you're really asking about is "how does a team securely use the docker CLI remotely against docker engines on servers?"

dockerd (Docker Engine) that runs containers on servers doesn't have remote connectivity enabled by default. It uses a TCP port that you need to enable, but to do it securely, you need to setup TLS, and ideally, RBAC for a team to have various read/write permissions.

Docker Docs has info on how to create mutual-TLS certs (similar to docker-machine) for connecting remotely. It's a labor-intensive process, and still means you'd need to past that client cert around the team or create multiple certs.

The Docker Cloud "Bring Your Own Swarm" feature is great for secure team remote connectivity. It puts agents on the Swarm managers and then your local machine, and it manages TLS certs for you and downloads them to your local machine in a container when you need to connect. It works for teams too, because in the Cloud GUI you can create groups and assign Swarms and other Docker ID's to a group to give/remove remote CLI permissions. It doesn't do RBAC. It also may be going away when they shutdown Docker Cloud in May 2018, but I hope it lives on in some form

Docker EE has the most features for this, providing RBAC (read-only users, etc.), LDAP integration, and much more.

There are other options as well, some use the authz plug-in model for docker.

[BretFisher]

Docker's 18.09 release got a great new feature that lets you use your local docker cli with a remote server through a SSH tunnel, so you no longer need to setup TCP/TLS just for remote cli.

Just change your DOCKER_HOST envvar and as long as you have ssh keys setup and ssh access to the server, your local CLI will now talk to the remote:

export DOCKER_HOST=ssh://user@server
docker version
# you'll see the versions for you local cli and the remote server

From there any docker command, including builds and swarm, will work!

[Biker93]

I find that on my Mac, I must export the variable for it to become an ENVIRONMENT variable as opposed to just a shell variable:

export DOCKER_HOST=ssh://user@server
docker version

[BretFisher]

Sorry yes it should be export not set.