29

Can the docker machines created from one developer workstation using docker-machine commands, be managed from another workstation. I am not looking for a solution involving docker swarm, but just docker machine.

From my understanding when docker-machine creates the machine on a remote environment like AWS EC2, it creates keys and certs which are then used for TLS based communication to the machine going forward. Therefore, in theory if I copy those keys and certs to another developer machine I should be able to connect to that remote docker machine.

However, I would like to know if that is the expected method to accomplish what I am looking to do. IMO this will be a scenario most of the docker community might be facing since multiple team members will need to share and manage the same remote docker machine.

Any guidance in this matter would be really appreciated.

frameworksnow
  • 907
  • 1
  • 9
  • 11
  • Any reason you need to share docker host for development? It's easier each dev have their own docker host vm for development, just choose cheaper instance types and make sure destroy/stop the instances if not used – number5 May 13 '15 at 02:04
  • Thank you for the response. I intended a scenario beyond just during the development phase of the product, but deployments to production. Once a remote docker machine is created from a workstation, how can we manage that docker machine remotely from another workstation/build machine? – frameworksnow May 13 '15 at 02:19
  • did you manage to find a way to get this to work? – dcohenb Jun 23 '16 at 10:26

2 Answers2

29

By using TLS based communication, docker is utilizing two-way SSL verification. In other words, not only does the client verify the server but also the other way round. By creating a docker machine with TLS enabled, you are becoming your own Certificate Authority (CA), and thus you are responsible for managing the SSL certificates. Docker machine does this behind the scenes, but I believe you can manually setup self-signed CA and repoint Docker to use the certs and keys you setup. Thus, instead of sharing a single certificate and key to all developer workstations, issue a unique certificate and private key for every developer signed by the CA private key. The only thing that has to be shared by everyone is the CA certificate, which is public.

The advantage of this is, you can revoke a certificate say once a developer leaves, although this is difficult with self-signed certificates, and it allows accountability where you can check who did what from the logs.

Docker TLS setup.

Becoming your own CA tutorial and certificate revocation

mixel
  • 25,177
  • 13
  • 126
  • 165
Daniel t.
  • 965
  • 11
  • 18
  • Ahh yes :) This is a great piece of information for anyone worried about managing remote Docker Hosts in more recent versions of the Docker Engine! TL;DR; SSL secured :) – James Mills May 13 '15 at 03:58
  • Thank you @Daniel for the explanation. This is exactly what I was looking for. I am still surprised that docker did not include a subcommand to docker-machine to accomplish the same. – frameworksnow May 13 '15 at 11:03
  • 5
    The above question by @number5 makes me wonder if maybe docker machine is the wrong way to deploy? But it strikes me that I should just be able to copy certs from `~/.docker/machine/certs` and `~/.docker/machine/machines/...` to another machine, right? Am I missing something that would make this an insecure thing to do? I'm avoiding copying `default`, as that contains a whole boot2docker ISO. – Dav Clark Apr 04 '16 at 18:35
  • 2
    It would be very useful to include an example command sequence that shares a Docker Machine instance. – Daniel Darabos May 25 '16 at 14:06
4

There's an external tool to import/export docker-machines: machine-share.

machine-export <machine-name>
>> exported to <machine-name>.zip
machine-import <machine-name>.zip
>> imported

As an aside, I believe Daniel's solution is superior, but requires a significant investment in tools/workflows. machine-export should be sufficient in 95% of the cases.

EightyEight
  • 3,430
  • 4
  • 36
  • 67