How do I connect to a remote docker daemon without being root?

Question

I have a server running the docker daemon exposing port 2375 (yes, this is naughty, but I'm looking at getting the simplest set-up working before doing things properly).

I can connect to the remote server as root:

➜  ~ export DOCKER_HOST=72.333.194.99:2375
➜  ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜  ~ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED                 STATUS              PORTS               NAMES
➜  ~ 

The above example is for brevity, I can build images and run containers on my remote server using local source files.

How can I do the same without being root?

I have set up the docker group on my server, so when I'm in the server I do not need to be sudo. I have a single user on my server with the name 'root'.

Answer 1

I have a server running the docker daemon exposing port 2375 (yes, this is naughty, but I'm looking at getting the simplest set-up working before doing things properly).

This isn't naughty, it's dangerous. It means you have remote root shell access to your host, unencrypted, without a password, on a well known and scanned for protocol. If you've actually set this up like this, then most likely by the time you're reading this answer your server has already been hacked and you should reinstall your entire OS to be safe.

I can connect to the remote server as root:

➜  ~ export DOCKER_HOST=72.333.194.99:2375
➜  ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜  ~ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED                 STATUS              PORTS               NAMES
➜  ~

You have not connected to the remote server in either docker command. First, you did not give a valid IP address. 333 is outside of the valid range. And the second sudo command runs in a root shell, with a different environment, so it is most likely your local docker install that you saw with that command. You can run sudo docker info to see this.

How do I connect to a remote docker daemon without being root?

Docker is a client/server application. The remote server does not know your local user id when connecting over TCP, so eliminate that from the equation. The reason you need to have root access locally, or be a member of the docker group, is because docker locks down access to /var/run/docker.sock with those permissions. If you have not configured the remote server to listen on the network (hopefully), then you can follow this procedure to configure a private CA with TLS keys for the server and client:

https://docs.docker.com/engine/security/https/

If you deviate from these instructions, and simply expose the socket without TLS, or do not configure mutual TLS authentication of both the client and the server, then you effectively have a remote root login to the server without a password, so do take care to follow all of the steps.

---

If you do not want to configure mutual TLS, 18.09 is currently in beta with the option to connect to a remote docker server over ssh: https://blog.docker.com/2018/09/join-the-beta-for-docker-engine-18-09/

$ docker -H ssh://[email protected] info

or

$ export DOCKER_HOST=ssh://[email protected]
$ docker info