How to Open TCP Remote Access to Docker

By default, docker daemon only listens for connections on a Unix socket. This means that only local clients can connect to the Docker daemon. However, it is possible to configure Docker to accept remote connections by setting it up to listen on an IP address and port as well as the Unix socket.

Configuring

Now, lets get started with setting up remote access. There are two ways to do that - with systemd and daemon.json file. I prefer systemd approach and will describe it here.

1. Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.
2. Add or modify the following lines, substituting your own values:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375

Pay extreme attention to the comments in this file, as it tells you exactly where to put those lines:

### Editing /etc/systemd/system/docker.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://192.168.1.85:2375

### Lines below this comment will be discarded

### /lib/systemd/system/docker.service

Note that I’m putting my host’s IP address rather than 127.0.0.1, because otherwise it won’t be visible from outside the local machine, which is why we are doing the exercise in the first place.

3. Save the file.

4. Reload the systemctl configuration with sudo systemctl daemon-reload.

5. Restart Docker with sudo systemctl restart docker.service.

6. Verify that the change has gone through by running sudo netstat -lntp | grep dockerd. You should see output similar to this:

sudo netstat -lntp | grep dockerd

tcp        0      0 192.168.1.85:2375       0.0.0.0:*               LISTEN      5568/dockerd

Off-topic

I can now even connect from IntelliJ IDEA:

Security Implications

Before we dive into the details of how to set up remote access, its important to note that there are security implications to opening Docker to the network. If steps aren’t taken to secure the connection, its possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check out Protect the Docker daemon socket.

If you are running docker daemon with -H tcp://0.0.0.0:XXX or similar you are exposing un-encrypted and unauthenticated direct access to the Docker daemon. If the host is internet connected this means the docker daemon on your computer can be used by anyone from the public internet.

Solutions

There are several solutions available for securing the TCP socket for Docker.

Using SSH

You can use SSH to protect the Docker daemon socket by creating a docker context to connect with a remote dockerd daemon using SSH. After creating the context, use docker context use to switch the docker CLI to use it, and to connect to the remote engine. Alternatively, you can use the DOCKER_HOST environment variable to temporarily switch the docker CLI to connect to the remote host using SSH.

Using TLS (HTTPS)

If you need Docker to be reachable through HTTP rather than SSH in a safe manner, you can enable TLS (HTTPS) by specifying the tlsverify flag and pointing Dockers tlscacert flag to a trusted CA certificate. In this way, you can configure TLS so that clients without a matching certificate will be blocked from accessing Dockers TCP socket.

To set up TLS, you need to create SSL certificates, then set up Docker Engine to require TLS connections. You can do this by creating a Certificate Authority (CA) for your TLS configuration, then generating server and client keys and certificates. Once you have created your certificates, you can configure Docker Engine and your clients to use them.