Managing Docker remotely can be a game-changer, but opening up its API without proper security measures can lead to serious risks. In this guide, we'll show you two ways to enable remote access to your Docker Engine: a quick but insecure method and a secure TLS-encrypted setup that safeguards your infrastructure.
1. Quick & Insecure Setup (Not Recommended for Production)
This method exposes the Docker API over TCP without encryption or authentication, making it highly vulnerable to attacks. Use it only in controlled environments where security is not a concern.
1.1 Steps to Enable Insecure Remote Access
- Modify Docker’s configuration file:
sudo vim /etc/docker/daemon.json- Add the following lines:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
}- Adjust Docker’s service file:
sudo sed -i 's# -H fd://# #g' /lib/systemd/system/docker.service
sudo systemctl daemon-reload
sudo systemctl restart docker.service
Confirm that the port is open:
sudo lsof -i:2376
Test remote access:
sudo docker -H <SERVER_IP>:2376 --version2. Secure Setup with TLS Encryption (Recommended for Production)
For production environments, TLS encryption is a must. It ensures that only authenticated clients can interact with your Docker API, protecting sensitive data and infrastructure.
2.1. Generating TLS Certificates
- Create a Certificate Authority (CA):
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
- Generate and sign the server certificate:
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<SERVER_DNS>" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:<SERVER_DNS>,IP:<SERVER_IP> >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf- Generate and sign the client certificate:
openssl genrsa -out key.pem 4096
openssl req -subj "/CN=client" -sha256 -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
- Package the certificates:
Server side:
mkdir certs
cp ca.pem server-cert.pem server-key.pem certs/
tar -zcvf server-key.tar.gz certs
Client side:
tar -zcvf client-key.tar.gz ca.pem cert.pem key.pem
2.2. Configuring Docker to Use TLS
- Deploy the server certificates:
sudo tar -zxvf server-key.tar.gz -C /etc/docker/- Modify Docker’s configuration file:
sudo vim /etc/docker/daemon.json
Add:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://<SERVER_IP>:2376"],
"tls": true,
"tlscacert": "/etc/docker/certs/ca.pem",
"tlscert": "/etc/docker/certs/server-cert.pem",
"tlskey": "/etc/docker/certs/server-key.pem",
"tlsverify": true
}- Restart Docker:
sudo systemctl daemon-reload
sudo systemctl restart docker.service
2.3. Testing Secure Remote Access
Extract client certificates
mkdir client-keys
tar -zxvf client-key.tar.gz -C client-keys
Connect securely to Docker:
sudo docker --tlsverify --tlscacert=client-keys/ca.pem --tlscert=client-keys/cert.pem --tlskey=client-keys/key.pem -H=<SERVER_DNS>:2376 run -ti nginx
Final Thoughts: Secure Your Docker API Before It’s Too Late!
Enabling remote access to Docker without security measures is a major risk. While the quick setup method is convenient for testing, it should never be used in production. Instead, use TLS encryption to lock down your API and prevent unauthorized access.
🔹 Key Takeaways:
- 🚀 Remote Docker Management improves flexibility and automation.
- ⚠️ Exposing Docker without TLS makes it vulnerable to attacks.
- 🔒 TLS ensures only authorized clients can connect.
💡 Need more insights? Check out the official Docker Security Guide.
💡 Who am I?
I'm Gabriel Carmo, passionate about technology (especially Open Source). I have experience in Cloud, Kubernetes, OpenShift, Zabbix, Dynatrace and much more! Always exploring new technologies and sharing knowledge. 🚀
📬 Let's connect?
🔗 LinkedIn
🐙 GitHub
🦊 GitLab
🏅 Credly
📧 Contato: contato@gabrielandre.com.br