docker: remote access api setup

1 Comment  •   Tags:

Docker able to enable remote connections, that you execute command in your local terminal but execution of it redirects to the remote docker machine.

In my case, I need that because I running Gitlab-CI pipeline that’s build image and I want automatically update it for the running container on the server. 

Server settings

You need configure docker daemon to listen external interface in the file /etc/docker/daemon.json

{
    "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
    "tls": true,
    "tlscacert": "/etc/ssl/docker/certs/ca.pem",
    "tlscert": "/etc/ssl/docker/certs/server-cert.pem",
    "tlskey": "/etc/ssl/docker/certs/server-key.pem",
    "tlsverify": true
}

2376 – listen post on which docker listen for incoming connections (you must allow it on firewall too. In next lines stats certificates path used for client authentification, you need to generate it in the next step.

For easy certificate generation, you can use script create-certs.sh, create directory (/etc/ssl/docker/), switch into that directory, download the script and grant execution privileges.

mkdir /etc/ssl/docker/ && cd /etc/ssl/docker/
wget https://raw.githubusercontent.com/kekru/linux-utils/master/cert-generate/create-certs.sh
chmod +x create-certs.sh

Generate 3 certificates for the docker (CA, server, and client)

./create-certs.sh -m ca -pw KEY-PASSWORD -t certs -e 900
./create-certs.sh -m server -h myserver.example.com -pw KEY-PASSWORD -t certs -e 365
./create-certs.sh -m client -h client1 -pw KEY-PASSWORD -t certs -e 365

KEY-PASSWORD – change to your’s random string, it used for private key protection. All generated certificates will be placed in the /etc/ssl/docker/certs/.

Restart the docker and now it is ready to accept the incoming connection.

Client setup

You can find so many variations for client configuration, but in general, all of them come down to one – adding a few environment variables. Docker must be installed on the client machine.

On Linux or MacOS create an alias for bash (file ~/.bashrc). Pay attention, in the alias, stated certificates paths that already generated on the server, you must to copy it to the client machine ca.pem, client-client1-cert.pem and key client-client1-key.pem

alias docker-remote="docker \
  --tlsverify \
  -H=your-remote-server.org:2376 \
  --tlscacert=/home/user/.docker/ca.pem \
  --tlscert=/home/user/.docker/client-client1-cert.pem \
  --tlskey=/home/user/.docker/client-client1-key.pem"

On Windows, mostly the same, but not an alias, create file docker-remote.bat contains.

docker ^
  --tlsverify ^
  -H=your-remote-server.org:2376 ^
  --tlscacert=C:\users\user\docker\ca.pem ^
  --tlscert=C:\users\user\docker\client-сlient1-cert.pem ^
  --tlskey=C:\users\user\docker\client-сlient1-key.pem %*

Do not forgot to change your-remote-server.org to the IP or DNS name of your server. Next for the server’s docker interaction use docker-remote on MacOS/Linux or docker-remote.bat on windows.

One comment on “docker: remote access api setup

  1. Pingback: Gitlab-CI: build and deploy docker container to the server

Leave a Reply

Your email address will not be published. Required fields are marked *