Question

How Can I Use a Remote Docker Engine with My Local Docker CLI?

Posted on August 29, 2024
Docker
Asked by 12611cf0c33146e9b700a09941cfec

I’m trying to set up my local Docker CLI to communicate with a remote Docker Engine running on a DigitalOcean Droplet. Basically, I don’t have much resources on my local machine so I need to run some builds and runs on a remote Droplet.

I’d like to understand:

How can I securely configure my local Docker CLI to use the remote engine?
Are there any best practices for securing the connection (e.g., certificates, SSH tunnels)?
What are the main benefits and potential downsides of using a remote Docker Engine compared to a local one?

I’ve looked at the Docker documentation, but I’d love to hear from the community about practical tips, common pitfalls, and real-world use cases.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev

Site Moderator

• November 24, 2024

Accepted Answer

Hey there!

One way of of doing this is, uou can connect your local Docker CLI to a remote Docker Engine by setting the DOCKER_HOST environment variable.

Here’s how to do it:

First, make sure that you have Docker is installed on your Droplet and running.
Then, on your Droplet, edit the Docker service file to enable the remote API:

sudo nano /lib/systemd/system/docker.service

Find the line that starts with ExecStart and modify it to include the -H flag for the remote API:

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

Save and restart Docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

On your local machine, you can now connect to the remote engine by running:

export DOCKER_HOST=tcp://<your-droplet-ip>:2375
docker ps

For production setups, exposing the Docker API on an open port is risky. Here’s how to secure it:

Option 1: Use SSH Tunnels Create an SSH tunnel to your remote Droplet:
```
ssh -L 2375:localhost:2375 root@<your-droplet-ip>
```
Then point your DOCKER_HOST to localhost instead:
```
export DOCKER_HOST=tcp://localhost:2375
docker ps
```
Option 2: Use Certificates Configure Docker to use TLS certificates for authentication. The official Docker docs have step-by-step instructions for this.

Regarding the benefits, I would say that they are:

Allows you to manage your remote Docker environment without SSHing into the server.
Useful for CI/CD pipelines and multi-user collaboration.

And for the downsides:

If not secured properly, it can expose your server to unauthorized access.
Networking overhead might slightly increase latency.

If you want to dive deeper into Docker, I’ve got a free eBook that might help: Introduction to Docker. It covers the basics of Docker, setting up environments, and much more.

Also, here is a great video that also covers the above!