Protect the Docker daemon socket | Enable docker
Bydefault,Dockerrunsthroughanon-networkedUNIXsocket.ItcanalsooptionallycommunicateusingSSHoraTLS(HTTPS)socket.UseSSHtoprotecttheDockerdaemonsocketNoteThegivenUSERNAMEmusthavepermissionstoaccessthedockersocketontheremotemachine.RefertomanageDockerasanon-rootuser[1]tolearnhowtogiveanon-rootuseraccesstothedockersocket.Thefollowingexamplecreatesadockercontext[2]toconnectwitharemotedockerddaemononhost1.example.comusingSSH,andasthedocker-useruserontheremotemachine:$dockercontextcreate--dockerhost=...
By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using SSH or a TLS (HTTPS) socket.
Use SSH to protect the Docker daemon socketNote
The given USERNAME must have permissions to access the docker socket on the remote machine. Refer to manage Docker as a non-root user[1] to learn how to give a non-root user access to the docker socket.
The following example creates a docker context[2] to connect with a remote dockerd daemon on host1.example.com using SSH, and as the docker-user user on the remote machine:
$ docker context create --docker host=ssh://[email protected] --description="Remote engine" my-remote-engine my-remote-engine Successfully created context "my-remote-engine"After creating the context, use docker context use to switch the docker CLI to use it, and to connect to the remote engine:
$ docker context use my-remote-engine...