Jan 09, 2018

Docker socket over SSH

Yesterday I described how to connect to a remote dockerd over TCP. I didn't touch security considerations at all (firewall, TLS certificate). This because, for my use, I prefer a different method, forwarding the Unix socket over SSH. Here's how.

First, you need OpenSSH version 6.7 or later (both client and server). Also, the login user on the remote instance must have permissions to access the Docker socket (in other words, be a member of the docker group).

Here's how to forward the remote socket:

ssh -fNTo ExitOnForwardFailure=yes -o ServerAliveInterval=30 -L $HOME/.ssh/docker.sock:/var/run/docker.sock host
export DOCKER_HOST=$HOME/.ssh/docker.sock

And to close the connection and return to the local dockerd kill the ssh process that's running in the background, rm the docker socket under $HOME/.ssh and unset DOCKER_HOST.

The reason I prefer this method is that it's easier to setup for ad-hoc tasks and arguably more secure since you not only authenticate the user and host with SSH, but you limit access to only those that are part of the docker group.