1

I have a group of docker containers running on a host (172.16.0.1). Because of restrictions of the size of the host running the docker containers, I'm trying to set up an auto-test framework on a different host (172.16.0.2). I need my auto-test framework to be able to access the docker containers. I've looked over the docker documentation and I don't see anything that says how to do this.

Is it possible to run a docker exec and point it to the docker host? I was hoping to do something like the following but there isn't an option to specify the host.:

docker exec -h 172.16.0.1 -it my_container bash

Should I be using a different command?

Thank you!

mchawre
  • 10,744
  • 4
  • 35
  • 57
jencoston
  • 1,262
  • 7
  • 19
  • 35
  • Can you describe the broader environment where you need `docker exec`? I'd generally reserve it for a debugging tool; I'd avoid scripting it, especially in a multi-host environment like what you're describing. – David Maze Jan 05 '21 at 18:25
  • We are working to set up a development pipeline in an air-gapped environment. The goal is to have Jenkins run Cucumber tests on the services running in docker containers. – jencoston Jan 05 '21 at 18:33

2 Answers2

2

Not sure why there is need of doing docker exec remotely. But anyways it is achievable.

You need to make sure your docker daemon on your host where your containers are running is listening on a socket.

Something like this:

# Running docker daemon which listens on tcp socket
$ sudo dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375

Now interact with the docker daemon remotely from external VM using:

$ docker -H tcp://<machine-ip>:2375 exec -it my-container bash
OR
$ export DOCKER_HOST="tcp://<machine-ip>:2375"
$ docker exec -it my-container bash

Note: Exposing docker socket publicly in your network has some serious security risks. Although there are other ways to expose it on encrypted HTTPS socket or over the ssh protocol.

Please go through these docs carefully, before attempting anything:

https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option

https://docs.docker.com/engine/security/https/

mchawre
  • 10,744
  • 4
  • 35
  • 57
  • 3
    Anyone who can access the Docker socket this way can **trivially root the host**. Be incredibly careful about enabling this option. I'd go for a large-scale overhaul of my test setup to not need `docker exec` before considering this path. – David Maze Jan 05 '21 at 18:23
1

If you have SSH on both machines you can easily execute commands on remote daemon like that:

docker -H "ssh://username@remote_host" <your normal docker command>
# for example:
docker -H "ssh://username@remote_host" exec ...
docker -H "ssh://username@remote_host" ps
# and so on

Another way to do the same is to store -H key value into DOCKER_HOST environment variable:

export DOCKER_HOST=ssh://username@remote_host
# now you can talk to remote daemon with your regular commands
# these will be executed on remote host:
docker ps
docker exec ...

Without SSH you can make Docker listen for TCP. This will require you to make some preparations to maintain security. This guide walks through creating certificates and some basic usage. After that you will have somewhat similar usage:

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \
  -H=172.16.0.1:2376

At last you can use docker context to save external hosts and their configuration. Using context allows you to communicate with various remote hosts with ease by using --context <name> option. Read context documentation here.

anemyte
  • 17,618
  • 1
  • 24
  • 45