Docker context problem

I was very impressed by Anca’s demonstration of using docker contexts at DockerConnect 2020. Now I am trying to get this going on my own system and trying to bring up containers on AWS Lightsail where I have a Docker instance created. I am running docker 19.03 on Lightsail.

I have created context called remote:
richb201@richb201-XPS-13-9370:~$ docker context create remote --docker “host=ssh://ubuntu@54.152.94.40”
context “remote” already exists

next I try to switch to it but I get this error:
richb201@richb201-XPS-13-9370:~$ docker --context remote ps
error during connect: Get http://docker/v1.40/containers/json: command [ssh -l ubuntu 54.152.94.40 – docker system dial-stdio] has exited with exit status 255, please make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=ubuntu@54.152.94.40: Permission denied (publickey).

To show that my public key works, I can directly ssh to the container:

richb201@richb201-XPS-13-9370:~$ ssh -i /home/richb201/Downloads/Docker1KeyPair.pem ubuntu@54.152.94.40
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 5.3.0-1019-aws x86_64)

System information as of Fri Jun 5 09:47:08 UTC 2020

System load: 0.0 Users logged in: 0
Usage of /: 15.3% of 19.32GB IP address for eth0: 172.26.15.76
Memory usage: 71% IP address for docker0: 172.17.0.1
Swap usage: 0% IP address for br-1ce9162cc37b: 172.18.0.1
Processes: 102

Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud

  • Canonical Livepatch is available for installation.

124 packages can be updated.
0 updates are security updates.

Last login: Fri Jun 5 09:35:10 2020 from 69.124.177.46
To run a command as administrator (user “root”), use "sudo ".
See “man sudo_root” for details.

BTW, I am concerned that memory usage is 71% and i haven;t even brought up my containers yet. I do see some containers already running in my instance that I don’t remember loading myself. Any idea what these are and how I get rid of them? I can’t docker-compose down since I don’t have the docker-compose.yml. Do I need them?

ubuntu@ip-172-26-15-76:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5be2aab0db39 mikegcoleman/todo:latest “node ./bin/www” 40 hours ago Up 40 hours 0.0.0.0:80->3000/tcp docker_front_end_1
6d4bba3453bc mongo:latest “docker-entrypoint.s…” 40 hours ago Up 40 hours 27017/tcp docker_db_1

Your problem is right there:how can docker context know about your key?

Docker uses the ssh agent and thus the mechanisms for ssh. Add the host’s config and identify file to the ssh config file and you should be good:

cat >> ~/.ssh/config <<-EOF
Host 54.152.94.40
     HostName 54.152.94.40
     User ubuntu
     IdentityFile ~/Downloads/Docker1KeyPair.pem 
EOF

Then try docker --context remote ps again

Thank you. Worked great!

If someone else stumbles accross this thread and wants to use agend forwarding instead of identiy file authentificaion, just replace

 IdentityFile ~/Downloads/Docker1KeyPair.pem 

with:

 ForwardAgent yes

Though, if your agent forwarder notifies when queried, you will not like the effect that EVERY bloody docker command will trigger the notfication.

Another catch: if no connection to the ssh daemon had been established before, docker context will throw a “stderr=Host key verification failed.” error when sending commands to the remote docker deamon. After a login was made (simply: ssh hostname) and added to the list of known hosts, it works like a charm. Even though adding StrictHostKeyChecking no would skip the host validation, it is not recommended to do so.

How does this guidance change when connecting to a remote swarm node (running on linux) from a windows laptop, where the remote host user requires sudo to run docker commands (e.g.: sudo docker container ls)? It appears to me that switching to a context that points at the remote swarm uses the command as it is typed at the windows powershell prompt (in other words, without the sudo). I have verified that my windows host public key is in the remote host’s list of authorized keys and that I can ssh into that host without using a password, and I created the context from the windows host using the following:

docker context create mycontext --description “swarm context for remote_host_ip” --docker “host=ssh://username@remote_host_ip” --default-stack-orchestrator=swarm

I have also tried using:
docker context create mycontext --description “swarm context for remote_host_ip” --docker “host=tcp://username@remote_host_ip:2375” --default-stack-orchestrator=swarm

But I receive the following error with method #1:
“Cannot connect to the Docker daemon at http://docker. Is the docker daemon running?”

And the following error with method #2:
error during connect: Get “http://remote_host_ip:2375/v1.24/containers/json”: dial tcp remote_host_ip:2375: connectex: No connection could be made because the target machine actively refused it.

note: I have replaced the IP of the remote host with remote_host_ip.
note2: I do not want to allow docker commands to be run on the remote_host without sudo.