use docker's remote API in a secure manner












1















I am trying to find an effective way to use the docker remote API in a secure way.
I have a docker daemon running in a remote host, and a docker client on a different machine. I need my solution to not be client/server OS dependent, so that it would be relevant to any machine with a docker client/daemon etc.



So far, the only way I found to do such a thing is to create certs on a Linux machine with openssl and copy the certs to the client/server manually, as in this example:



https://docs.docker.com/engine/security/https/



and then configure docker on both sides to use the certificates for encryption and authentication.



This method is rather clunky in my opinion, because some times it's a problem to copy files and put them on each machine I want to use remote API from.



I am looking for something more elegant.



Another solution I've found is using a proxy for basic HTTP authentication, but in this method the traffic is not encrypted and it is not really secure that way.



Does anyone have a suggestion for a different solution or for a way to improve one of the above?






docker authentication encryption tls1.2







share|improve this question





























    1















    I am trying to find an effective way to use the docker remote API in a secure way.
    I have a docker daemon running in a remote host, and a docker client on a different machine. I need my solution to not be client/server OS dependent, so that it would be relevant to any machine with a docker client/daemon etc.



    So far, the only way I found to do such a thing is to create certs on a Linux machine with openssl and copy the certs to the client/server manually, as in this example:



    https://docs.docker.com/engine/security/https/



    and then configure docker on both sides to use the certificates for encryption and authentication.



    This method is rather clunky in my opinion, because some times it's a problem to copy files and put them on each machine I want to use remote API from.



    I am looking for something more elegant.



    Another solution I've found is using a proxy for basic HTTP authentication, but in this method the traffic is not encrypted and it is not really secure that way.



    Does anyone have a suggestion for a different solution or for a way to improve one of the above?






    docker authentication encryption tls1.2







    share|improve this question



























      1












      1








      1








      I am trying to find an effective way to use the docker remote API in a secure way.
      I have a docker daemon running in a remote host, and a docker client on a different machine. I need my solution to not be client/server OS dependent, so that it would be relevant to any machine with a docker client/daemon etc.



      So far, the only way I found to do such a thing is to create certs on a Linux machine with openssl and copy the certs to the client/server manually, as in this example:



      https://docs.docker.com/engine/security/https/



      and then configure docker on both sides to use the certificates for encryption and authentication.



      This method is rather clunky in my opinion, because some times it's a problem to copy files and put them on each machine I want to use remote API from.



      I am looking for something more elegant.



      Another solution I've found is using a proxy for basic HTTP authentication, but in this method the traffic is not encrypted and it is not really secure that way.



      Does anyone have a suggestion for a different solution or for a way to improve one of the above?






      docker authentication encryption tls1.2







      share|improve this question
















      I am trying to find an effective way to use the docker remote API in a secure way.
      I have a docker daemon running in a remote host, and a docker client on a different machine. I need my solution to not be client/server OS dependent, so that it would be relevant to any machine with a docker client/daemon etc.



      So far, the only way I found to do such a thing is to create certs on a Linux machine with openssl and copy the certs to the client/server manually, as in this example:



      https://docs.docker.com/engine/security/https/



      and then configure docker on both sides to use the certificates for encryption and authentication.



      This method is rather clunky in my opinion, because some times it's a problem to copy files and put them on each machine I want to use remote API from.



      I am looking for something more elegant.



      Another solution I've found is using a proxy for basic HTTP authentication, but in this method the traffic is not encrypted and it is not really secure that way.



      Does anyone have a suggestion for a different solution or for a way to improve one of the above?






      docker authentication encryption tls1.2




      docker authentication encryption tls1.2






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 13 '18 at 20:03







      Roy Cohen

















      asked Nov 13 '18 at 8:34









      Roy CohenRoy Cohen

      266




      266
























          2 Answers
          2






          active

          oldest

          votes


















          1














          Your favorite system automation tool (Chef, SaltStack, Ansible) can probably directly manage the running Docker containers on a remote host, without opening another root-equivalent network path. There are Docker-oriented clustering tools (Docker Swarm, Nomad, Kubernetes, AWS ECS) that can run a container locally or remotely, but you have less control over where exactly (you frequently don't actually care) and they tend to take over the machines they're running on.



          If I really had to manage systems this way I'd probably use some sort of centralized storage to keep the TLS client keys, most likely Vault, which has the property of storing the keys encrypted, requiring some level of authentication to retrieve them, and being able to access-control them. You could write a shell function like this (untested):



          dockerHost() {
          
  mkdir -p "$HOME/.docker/$1"
          
  JSON=$(vault kv get -format=json "secret/docker/$1")
          
  for f in ca.pem cert.pem key.pem; do
          
    echo "$JSON" | jq ".data.data.["$f"]" > "$HOME/.docker/$1/$f"
          
  done
          
  export DOCKER_HOST="https://$1:2376"
          
  export DOCKER_CERT_PATH="$HOME/.docker/$1"
          
}


          While your question makes clear you understand this, it bears repeating: do not enable unauthenticated remote access to the Docker daemon, since it is trivial to take over a host with unrestricted root access if you can access the socket at all.






          share|improve this answer



















          • 1





            my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

            – Roy Cohen
            Nov 13 '18 at 12:01













          • Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

            – David Maze
            Nov 13 '18 at 12:13











          • I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

            – Roy Cohen
            Nov 13 '18 at 12:18













          • My very first choice for that setup would just be to ssh to the host.

            – David Maze
            Nov 13 '18 at 12:20











          • currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

            – Roy Cohen
            Nov 13 '18 at 12:35





















          1














          Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.



          It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.



          A very simple example file (playbook.yml)



          - hosts: all
          
  tasks:
          
  - name: setup container
          
    docker_container:
          
      name: helloworld
          
      image: hello-world


          Running the playbook

          ansible-playbook -i username@mysshhost.com, playbook.yml



          Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:



          docker_service
          
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
          
docker_container
          
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
          
docker_image
          
    Provides full control over images, including: build, pull, push, tag and remove.
          
docker_image_facts
          
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
          
docker_login
          
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
          
docker (dynamic inventory)
          
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.





          share|improve this answer
























          • thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

            – Roy Cohen
            Nov 14 '18 at 10:18











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276839%2fuse-dockers-remote-api-in-a-secure-manner%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Your favorite system automation tool (Chef, SaltStack, Ansible) can probably directly manage the running Docker containers on a remote host, without opening another root-equivalent network path. There are Docker-oriented clustering tools (Docker Swarm, Nomad, Kubernetes, AWS ECS) that can run a container locally or remotely, but you have less control over where exactly (you frequently don't actually care) and they tend to take over the machines they're running on.



          If I really had to manage systems this way I'd probably use some sort of centralized storage to keep the TLS client keys, most likely Vault, which has the property of storing the keys encrypted, requiring some level of authentication to retrieve them, and being able to access-control them. You could write a shell function like this (untested):



          dockerHost() {
          
  mkdir -p "$HOME/.docker/$1"
          
  JSON=$(vault kv get -format=json "secret/docker/$1")
          
  for f in ca.pem cert.pem key.pem; do
          
    echo "$JSON" | jq ".data.data.["$f"]" > "$HOME/.docker/$1/$f"
          
  done
          
  export DOCKER_HOST="https://$1:2376"
          
  export DOCKER_CERT_PATH="$HOME/.docker/$1"
          
}


          While your question makes clear you understand this, it bears repeating: do not enable unauthenticated remote access to the Docker daemon, since it is trivial to take over a host with unrestricted root access if you can access the socket at all.






          share|improve this answer



















          • 1





            my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

            – Roy Cohen
            Nov 13 '18 at 12:01













          • Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

            – David Maze
            Nov 13 '18 at 12:13











          • I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

            – Roy Cohen
            Nov 13 '18 at 12:18













          • My very first choice for that setup would just be to ssh to the host.

            – David Maze
            Nov 13 '18 at 12:20











          • currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

            – Roy Cohen
            Nov 13 '18 at 12:35


















          1














          Your favorite system automation tool (Chef, SaltStack, Ansible) can probably directly manage the running Docker containers on a remote host, without opening another root-equivalent network path. There are Docker-oriented clustering tools (Docker Swarm, Nomad, Kubernetes, AWS ECS) that can run a container locally or remotely, but you have less control over where exactly (you frequently don't actually care) and they tend to take over the machines they're running on.



          If I really had to manage systems this way I'd probably use some sort of centralized storage to keep the TLS client keys, most likely Vault, which has the property of storing the keys encrypted, requiring some level of authentication to retrieve them, and being able to access-control them. You could write a shell function like this (untested):



          dockerHost() {
          
  mkdir -p "$HOME/.docker/$1"
          
  JSON=$(vault kv get -format=json "secret/docker/$1")
          
  for f in ca.pem cert.pem key.pem; do
          
    echo "$JSON" | jq ".data.data.["$f"]" > "$HOME/.docker/$1/$f"
          
  done
          
  export DOCKER_HOST="https://$1:2376"
          
  export DOCKER_CERT_PATH="$HOME/.docker/$1"
          
}


          While your question makes clear you understand this, it bears repeating: do not enable unauthenticated remote access to the Docker daemon, since it is trivial to take over a host with unrestricted root access if you can access the socket at all.






          share|improve this answer



















          • 1





            my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

            – Roy Cohen
            Nov 13 '18 at 12:01













          • Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

            – David Maze
            Nov 13 '18 at 12:13











          • I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

            – Roy Cohen
            Nov 13 '18 at 12:18













          • My very first choice for that setup would just be to ssh to the host.

            – David Maze
            Nov 13 '18 at 12:20











          • currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

            – Roy Cohen
            Nov 13 '18 at 12:35
















          1












          1








          1







          Your favorite system automation tool (Chef, SaltStack, Ansible) can probably directly manage the running Docker containers on a remote host, without opening another root-equivalent network path. There are Docker-oriented clustering tools (Docker Swarm, Nomad, Kubernetes, AWS ECS) that can run a container locally or remotely, but you have less control over where exactly (you frequently don't actually care) and they tend to take over the machines they're running on.



          If I really had to manage systems this way I'd probably use some sort of centralized storage to keep the TLS client keys, most likely Vault, which has the property of storing the keys encrypted, requiring some level of authentication to retrieve them, and being able to access-control them. You could write a shell function like this (untested):



          dockerHost() {
          
  mkdir -p "$HOME/.docker/$1"
          
  JSON=$(vault kv get -format=json "secret/docker/$1")
          
  for f in ca.pem cert.pem key.pem; do
          
    echo "$JSON" | jq ".data.data.["$f"]" > "$HOME/.docker/$1/$f"
          
  done
          
  export DOCKER_HOST="https://$1:2376"
          
  export DOCKER_CERT_PATH="$HOME/.docker/$1"
          
}


          While your question makes clear you understand this, it bears repeating: do not enable unauthenticated remote access to the Docker daemon, since it is trivial to take over a host with unrestricted root access if you can access the socket at all.






          share|improve this answer













          Your favorite system automation tool (Chef, SaltStack, Ansible) can probably directly manage the running Docker containers on a remote host, without opening another root-equivalent network path. There are Docker-oriented clustering tools (Docker Swarm, Nomad, Kubernetes, AWS ECS) that can run a container locally or remotely, but you have less control over where exactly (you frequently don't actually care) and they tend to take over the machines they're running on.



          If I really had to manage systems this way I'd probably use some sort of centralized storage to keep the TLS client keys, most likely Vault, which has the property of storing the keys encrypted, requiring some level of authentication to retrieve them, and being able to access-control them. You could write a shell function like this (untested):



          dockerHost() {
          
  mkdir -p "$HOME/.docker/$1"
          
  JSON=$(vault kv get -format=json "secret/docker/$1")
          
  for f in ca.pem cert.pem key.pem; do
          
    echo "$JSON" | jq ".data.data.["$f"]" > "$HOME/.docker/$1/$f"
          
  done
          
  export DOCKER_HOST="https://$1:2376"
          
  export DOCKER_CERT_PATH="$HOME/.docker/$1"
          
}


          While your question makes clear you understand this, it bears repeating: do not enable unauthenticated remote access to the Docker daemon, since it is trivial to take over a host with unrestricted root access if you can access the socket at all.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 13 '18 at 11:37









          David MazeDavid Maze

          11.4k21023




          11.4k21023








          • 1





            my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

            – Roy Cohen
            Nov 13 '18 at 12:01













          • Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

            – David Maze
            Nov 13 '18 at 12:13











          • I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

            – Roy Cohen
            Nov 13 '18 at 12:18













          • My very first choice for that setup would just be to ssh to the host.

            – David Maze
            Nov 13 '18 at 12:20











          • currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

            – Roy Cohen
            Nov 13 '18 at 12:35
















          • 1





            my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

            – Roy Cohen
            Nov 13 '18 at 12:01













          • Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

            – David Maze
            Nov 13 '18 at 12:13











          • I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

            – Roy Cohen
            Nov 13 '18 at 12:18













          • My very first choice for that setup would just be to ssh to the host.

            – David Maze
            Nov 13 '18 at 12:20











          • currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

            – Roy Cohen
            Nov 13 '18 at 12:35










          1




          1





          my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

          – Roy Cohen
          Nov 13 '18 at 12:01







          my problem with clustering tools is that I am looking to deploy multiple containers on a single host and I don't need a whole cluster for that matter, only 1 host. I thought about using a single host cluster, but that feels wrong to me. Do you think it is a good option?

          – Roy Cohen
          Nov 13 '18 at 12:01















          Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

          – David Maze
          Nov 13 '18 at 12:13





          Honestly, it's overkill for a lot of things, and I wish Swarm wasn't quite so prominent in the official Docker tutorials. For multiple containers on a single host, though, Docker Compose is pretty lightweight and standardized; but it doesn't work well for multi-host installations, which is what your original question was more getting at.

          – David Maze
          Nov 13 '18 at 12:13













          I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

          – Roy Cohen
          Nov 13 '18 at 12:18







          I want only a single host to be the docker host, and I want to be able to control this host remotely, using a docker client only on a remote host. the client will not have a docker daemon, but only the cli docker client binary

          – Roy Cohen
          Nov 13 '18 at 12:18















          My very first choice for that setup would just be to ssh to the host.

          – David Maze
          Nov 13 '18 at 12:20





          My very first choice for that setup would just be to ssh to the host.

          – David Maze
          Nov 13 '18 at 12:20













          currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

          – Roy Cohen
          Nov 13 '18 at 12:35







          currently I am using ssh but I am looking to do it in a program/script and not manually. I have a lot of docker actions and configurations which I want to perform from a remote host (create containers, connect them to networks etc..) I want to use the docker-py module in order to do so. I also try to wrap the docker remote API in some kind of an interface which is relevant to the app that runs on the containers.

          – Roy Cohen
          Nov 13 '18 at 12:35















          1














          Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.



          It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.



          A very simple example file (playbook.yml)



          - hosts: all
          
  tasks:
          
  - name: setup container
          
    docker_container:
          
      name: helloworld
          
      image: hello-world


          Running the playbook

          ansible-playbook -i username@mysshhost.com, playbook.yml



          Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:



          docker_service
          
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
          
docker_container
          
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
          
docker_image
          
    Provides full control over images, including: build, pull, push, tag and remove.
          
docker_image_facts
          
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
          
docker_login
          
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
          
docker (dynamic inventory)
          
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.





          share|improve this answer
























          • thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

            – Roy Cohen
            Nov 14 '18 at 10:18
















          1














          Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.



          It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.



          A very simple example file (playbook.yml)



          - hosts: all
          
  tasks:
          
  - name: setup container
          
    docker_container:
          
      name: helloworld
          
      image: hello-world


          Running the playbook

          ansible-playbook -i username@mysshhost.com, playbook.yml



          Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:



          docker_service
          
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
          
docker_container
          
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
          
docker_image
          
    Provides full control over images, including: build, pull, push, tag and remove.
          
docker_image_facts
          
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
          
docker_login
          
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
          
docker (dynamic inventory)
          
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.





          share|improve this answer
























          • thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

            – Roy Cohen
            Nov 14 '18 at 10:18














          1












          1








          1







          Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.



          It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.



          A very simple example file (playbook.yml)



          - hosts: all
          
  tasks:
          
  - name: setup container
          
    docker_container:
          
      name: helloworld
          
      image: hello-world


          Running the playbook

          ansible-playbook -i username@mysshhost.com, playbook.yml



          Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:



          docker_service
          
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
          
docker_container
          
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
          
docker_image
          
    Provides full control over images, including: build, pull, push, tag and remove.
          
docker_image_facts
          
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
          
docker_login
          
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
          
docker (dynamic inventory)
          
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.





          share|improve this answer













          Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.



          It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.



          A very simple example file (playbook.yml)



          - hosts: all
          
  tasks:
          
  - name: setup container
          
    docker_container:
          
      name: helloworld
          
      image: hello-world


          Running the playbook

          ansible-playbook -i username@mysshhost.com, playbook.yml



          Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:



          docker_service
          
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
          
docker_container
          
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
          
docker_image
          
    Provides full control over images, including: build, pull, push, tag and remove.
          
docker_image_facts
          
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
          
docker_login
          
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
          
docker (dynamic inventory)
          
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 13 '18 at 15:03









          Uku LoskitUku Loskit

          30.3k86879




          30.3k86879













          • thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

            – Roy Cohen
            Nov 14 '18 at 10:18



















          • thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

            – Roy Cohen
            Nov 14 '18 at 10:18

















          thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

          – Roy Cohen
          Nov 14 '18 at 10:18





          thank you for the detailed comment. I've looked into Ansible but it doesn't seem to fit because the "Ansible master" must be a Linux machine. in my solution, I'm looking to allow any type of machine with any OS to control the containers from afar. For example, using only the docker client binary, any host(windows, OSX, Linux etc) that supports docker can control the containers remotely with no dependencies except for a single binary.

          – Roy Cohen
          Nov 14 '18 at 10:18


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53276839%2fuse-dockers-remote-api-in-a-secure-manner%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          這個網誌中的熱門文章

          Hercules Kyvelos

          圖片
          Hercules Kyvelos Statistics Real name Hercules Kyvelos Nickname(s) The God Weight(s) Middleweight Light Middleweight Welterweight Height 5 ft 10 in (180 cm) Reach 72 in (183 cm) Nationality Canadian Born ( 1975-02-25 ) February 25, 1975 (age 43) Montreal, Quebec Stance Orthodox Boxing record Total fights 27 Wins 24 Wins by KO 12 Losses 3 Draws 0 No contests 0 Hercules Kyvelos Medal record Men's Boxing Representing   Canada Pan American Games 1995 Mar del Plata Welterweight Hercules Kyvelos (born February 25, 1975) is a Greek-Canadian boxer in the Welterweight division and is the former Canadian Welterweight Champion. [1] He fought at the 1996 Summer Olympics in Atlanta, Georgia. Contents 1 Early life 2 Amateur career 3 Pro career 3.1 WBO Welterweight Championship 3.2 Personal life 4 References 5 External links Early life Hercules was born in
          閱讀完整內容

          Tangent Lines Diagram Along Smooth Curve

          圖片
          7 1 I am trying to replicate a diagram and have a minimal example. I don't know how to add additional tangents between the specified points and preserve smoothness. documentclass{article} usepackage{tikz} usetikzlibrary{calc,intersections} begin{document} begin{tikzpicture} % Axes draw [->, name path=x] (-1,0) -- (11,0) node [right] {$x$}; draw [->] (0,-1) -- (0,6) node [above] {$y$}; % Origin node at (0,0) [below left] {$0$}; % Points coordinate (start) at (1,-0.8); coordinate (c1) at (3,3); coordinate (c2) at (5.5,1.5); coordinate (c3) at (8,4); coordinate (end) at (10.5,-0.8); % show the points foreach n in {start,c1,c2,c3,end} fill [black] (n) circle (2pt) node [below] {}; % join the coordinates draw [thick,name path=curve] (start) to[out=70,in=180] (c1) to[out=0,in=180]
          閱讀完整內容

          Yusuf al-Mu'taman ibn Hud

          圖片
          Main article: Taifa of Zaragoza Al-Mu'taman Ruler of Zaragoza Reign 1081–1085 Predecessor Ahmad al-Muqtadir Successor Al-Mustain II Born Zaragoza Died 1085 Full name Yusuf ibn Ahmad al-Mu'taman ibn Hūd House Banu Hud Yusuf ibn Ahmad al-Mu'taman ibn Hūd (Arabic: المؤتمن بالله يوسف إبن أحمد إبن هود ‎, al-Mutaman bi l-Lah , died c. 1085) was the third king of the Banu Hud dynasty who ruled over the Taifa of Zaragoza from 1081 to 1085. Yusuf al-Mutaman reigned during the height of power of Muslim Zaragoza , following the thriving period of his father Ahmad al-Muqtadir. He continued his father's efforts and created around him a court of intellectuals, living in the beautiful palace of Aljafería, nicknamed as "the palace of joy". Al-Mu'taman was also a scholarly king and a patron of science, philosophy and arts. As an example of a wise king, he knew astrology, philosophy, and especially mathematics, a discipline in which
          閱讀完整內容