CODEWITHSUNDEEP
dockerdocker-swarmdocker-stack
pr177
pr177

Reputation: 670

Connect to remote docker host / deploy a stack

I created a docker stack to deploy to a swarm. Now I´m a bit confused how the proper way looks like to deploy it to a real server?

Of course I can

  1. scp my docker-stack.yml file to a node of my swarm
  2. ssh into the node
  3. run docker stack deploy -c docker-stack.yml stackname

So there is the docker-machine tool I thought. I tried

docker-machine -d none --url=tcp://<RemoteHostIp>:2375 node1

what only seems to work if you open the port without TLS? I received following:

$ docker-machine env node1
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.178.49:2375": dial tcp 192.168.178.49:2375: connectex: No connection could be made because the target machine actively refused it.
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

I already tried to generate a certificate & copy it over to the host:

 ssh-keygen -t rsa
 ssh-copy-id myuser@node1

Then I ran

docker-machine --tls-ca-cert PathToMyCert --tls-client-cert PathToMyCert create -d none --url=tcp://192.168.178.49:2375 node1

With the following result:

 $ docker-machine env node1
 Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "node1:2375": There was an error reading certificate
 You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
 Be advised that this will trigger a Docker daemon restart which might stop running containers.

I also tried it with the generic driver

$ docker-machine create -d generic --generic-ssh-port "22" --generic-ssh-user "MyRemoteUser" --generic-ip-address 192.168.178.49 node1
Running pre-create checks...
Creating machine...
(node1) No SSH key specified. Assuming an existing key at the default    location.
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Error creating machine: Error detecting OS: OS type not recognized

How do I add the remote docker host with docker-machine properly with TLS? Or is there a better way to deploy stacks to a server/into production?

I read often that you shouldn´t expose the docker port but not once how to do it. And I can´t believe that they doesn´t provide a simple way to do this.

Update & Solution

I think both answers have there qualification. I found Deploy to Azure Offical Doc (it´s the same for AWS). The answer from @Tarun Lalwani pointed me into the right direction and it´s almost the official solution. Thats the reason I accepted his answer.

For me the following commands worked:

ssh -fNL localhost:2374:/var/run/docker.sock myuser@node1

Then you can run either:

docker -H localhost:2374 stack deploy -c stack-compose.yml stackname

or

DOCKER_HOST=localhost:2374
docker stack deploy -c stack-compose.yml stackname

The answer from @BMitch is also valid and the security concern he mentioned shouldn´t be ignored.

Update 2

The answer from @bretf is a awesome way to connect to your swarm. Especially if you have more than one. It´s still beta but works for swarms which are available to the internet and don´t have a ARM architecture.

Upvotes: 5

Views: 5593

Answers (3)

Bret Fisher
Bret Fisher

Reputation: 8596

If you're using Docker for Windows or Docker for Mac, Docker Cloud has a more automated way to setup your TLS certs and get you securely connected to a remote host for free. Under "Swarms" there's "Bring your own Swarm" which runs an agent container on your Swarm managers to let you easily use your local docker cli without manual cert setup. It still requires the Swarm port open to internet, but this setup ensures it has TLS mutual auth enabled.

Here's a youtube video showing how to set it up. It can also support group permissions for adding/removing other admins from remotely accessing the Swarm.

Upvotes: 2

BMitch
BMitch

Reputation: 263469

You don't need docker-machine for this. Docker has the detailed steps to configure TLS in their documentation. The steps involve:

  • creating a CA
  • create and sign a server certificate
  • configuring the dockerd daemon to use this cert and validate client certs
  • create and sign a client certificate
  • copy the ca and client certificate files to your client machine's .docker folder
  • set some environment variables to use the client certificates and remote docker host

I wouldn't use the ssh tunnel method on a multi-user environment since any user with access to 127.0.0.1 would have root access to the remote docker host without a password or any auditing.

Upvotes: 3

Tarun Lalwani
Tarun Lalwani

Reputation: 146490

I would prefer not opening/exposing the docker port even if I am thinking of TLS. I would rather use a SSH tunnel and then do the deployment

ssh -L 2375:127.0.0.1:2375 myuser@node1

And then use

DOCKER_HOST=tcp://127.0.0.1:2375
docker stack deploy -c docker-stack.yml stackname

Upvotes: 6

Related Questions