Expose Docker Daemon on TCP Port 2376


Exposing the Docker daemon on TCP port 2376 involves configuring the Docker daemon to listen on a TCP socket in addition to the default Unix socket. This setup allows remote access to the Docker daemon, but it should be done with caution because it can expose your Docker daemon to the network, potentially leading to security vulnerabilities. It's highly recommended to secure the connection using TLS.

Here's a step-by-step guide to exposing your Docker daemon on TCP port 2376:

Configure the Docker Daemon

  1. Edit Docker Daemon Configuration File:

    • Open the Docker daemon configuration file, typically located at /etc/docker/daemon.json. If this file does not exist, create it.
    • Add or modify the following lines to set the daemon to listen on both the Unix socket and TCP port 2376:
    • { "hosts": ["unix:///var/run/docker.sock", "tcp://"] }
  • Restart Docker Service:

    • After making the changes, restart the Docker service to apply the new configuration:
    • sudo systemctl restart docker

Secure the Docker Daemon with TLS

Exposing the Docker daemon without TLS encryption is insecure. You should generate TLS certificates to encrypt the connection.

  1. Create TLS Certificates:

    • You need a CA (Certificate Authority) certificate, a server certificate, and a server key. You can generate these using OpenSSL or similar tools.
    • The server certificate should be signed by the CA and should include the IP address or hostname of the Docker host as a subject alternative name.
  2. Configure Docker Daemon for TLS:

    • Modify the /etc/docker/daemon.json file to include the paths to the TLS certificates:
    • { "hosts": ["unix:///var/run/docker.sock", "tcp://"], "tls": true, "tlscacert": "/path/to/ca.pem", "tlscert": "/path/to/server-cert.pem", "tlskey": "/path/to/server-key.pem", "tlsverify": true }
  • Restart Docker Service Again:

    • Restart the Docker service to apply the TLS configuration:
    • sudo systemctl restart docker

Connecting to the Docker Daemon Remotely

  • To connect to this Docker daemon remotely, you will need the client to use the CA certificate, as well as a client certificate and key that are also signed by the CA.
  • When using Docker client commands, specify the Docker host and include the TLS options:
  • docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=tcp://<hostname>:2376 version

Important Notes

  • Security: Exposing the Docker daemon, especially over the network, can be a significant security risk. Ensure that you have proper firewall rules and access controls in place.
  • TLS Certificates: Using TLS is essential to encrypt and secure the communication.
  • Firewall Configuration: Make sure your firewall allows incoming connections on port 2376.
  • Docker Contexts: Once the daemon is exposed with TLS, you can set up a Docker context for remote management as described previously.

Always consider the security implications when exposing your Docker daemon, and follow best practices for securing the Docker host and network communications.

Category: container Tags: public