SSH Tunnel
The SSH tunnel is a viable option for securely exposing a remote Docker daemon on a local port, which is useful for situations where options for enabling TLS aren't available. This doesn't require any special set up on the
/etc/systemd/system/docker-tunnel-remote1.service
[Unit]
Description=SSH tunnel for remote Docker host remote1
After=network-online.target
Wants=network-online.target
[Service]
User=root
ExecStart=/usr/bin/ssh -N \
-i /root/.ssh/tunnel \
-o IdentitiesOnly=yes \
-o ExitOnForwardFailure=yes \
-o ServerAliveInterval=60 \
-o ServerAliveCountMax=3 \
-L 127.0.0.1:42375:127.0.0.1:2375 [email protected]
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Detailed explanation of options
-N- Do not execute a remote command; used for port forwarding only.
-i /root/.ssh/tunnel- Specifies the private key to use as the identity.
-o IdentitiesOnly=yes- Prevents any SSH agent keys from being used, and forces the use of the specified identity.
-o ExitOnForwardFailure=yes- Exit if port forwarding setup fails, preventing silent failure.
-o ServerAliveInterval=60- Send keepalive messages every 60 seconds to detect dropped connections.
-o ServerAliveCountMax=3- Allow up to 3 missed keepalive responses before disconnecting.
-L 127.0.0.1:42375:127.0.0.1:2375- Forward local port 42375 to remote port 2375 on the loopback interface, tunneling Docker API traffic.
[email protected]- Remote user and host to connect to. Change this as necessary.
Only other services running under the same user (root in this case) will have access to the tunnel.
The remote host key needs to be in the known_hosts file
This will prompt you to add the host key to the known_hosts file.