问题描述

我有一台运行docker daemon的服务器，暴露了端口2375（是的，这很顽皮，但是我正在寻找在做正确的事情之前可以进行最简单的设置的工作）。

I have a server running the docker daemon exposing port 2375 (yes, this is naughty, but I'm looking at getting the simplest set-up working before doing things properly).

我可以以root用户身份连接到远程服务器：

I can connect to the remote server as root:

➜  ~ export DOCKER_HOST=72.333.194.99:2375
➜  ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜  ~ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED                 STATUS              PORTS               NAMES
➜  ~

为简便起见，上面的示例可以使用本地源文件在远程服务器上构建映像并运行容器。

The above example is for brevity, I can build images and run containers on my remote server using local source files.

我该怎么做？

我已经在服务器上设置了docker组，因此当我在服务器中时，无需使用sudo。我的服务器上有一个名为'root'的用户。

I have set up the docker group on my server, so when I'm in the server I do not need to be sudo. I have a single user on my server with the name 'root'.

推荐答案

这不是顽皮的，很危险。这意味着您可以通过众所周知的协议扫描主机根远程外壳，并且无需密码即可对主机进行未经加密的访问，而无需输入密码。如果您实际上是这样设置的，那么很可能在您阅读此答案时，您的服务器已经被黑，因此您应该重新安装整个操作系统以确保安全。

This isn't naughty, it's dangerous. It means you have remote root shell access to your host, unencrypted, without a password, on a well known and scanned for protocol. If you've actually set this up like this, then most likely by the time you're reading this answer your server has already been hacked and you should reinstall your entire OS to be safe.

➜  ~ export DOCKER_HOST=72.333.194.99:2375
➜  ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜  ~ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED                 STATUS              PORTS               NAMES
➜  ~

您未在任何docker命令中连接到远程服务器。首先，您没有提供有效的IP地址。 333超出有效范围。第二个sudo命令在具有不同环境的root shell中运行，因此您很有可能在该命令中看到了本地docker安装。您可以运行 sudo docker info 来查看此内容。

You have not connected to the remote server in either docker command. First, you did not give a valid IP address. 333 is outside of the valid range. And the second sudo command runs in a root shell, with a different environment, so it is most likely your local docker install that you saw with that command. You can run sudo docker info to see this.

Docker是一个客户端/服务器应用程序。通过TCP连接时，远程服务器不知道您的本地用户ID，因此从等式中消除它。您需要在本地具有root用户访问权限或成为docker组成员的原因是因为docker使用这些权限锁定了对 /var/run/docker.sock 的访问权限。如果尚未配置远程服务器（希望）在网络上侦听，则可以按照以下过程为服务器和客户端配置具有TLS密钥的私有CA：

Docker is a client/server application. The remote server does not know your local user id when connecting over TCP, so eliminate that from the equation. The reason you need to have root access locally, or be a member of the docker group, is because docker locks down access to /var/run/docker.sock with those permissions. If you have not configured the remote server to listen on the network (hopefully), then you can follow this procedure to configure a private CA with TLS keys for the server and client:

If you do not want to configure mutual TLS, 18.09 is currently in beta with the option to connect to a remote docker server over ssh: https://blog.docker.com/2018/09/join-the-beta-for-docker-engine-18-09/

$ docker -H ssh://[email protected] info

或

$ export DOCKER_HOST=ssh://[email protected]
$ docker info

这篇关于如何在没有root用户的情况下连接到远程docker守护程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！