Docker daemon on TCP port

General
1

I’ve read the instructions at https://docs.docker.com/docker-for-azure/deploy/ about tunneling the docker client over SSH to the unix socket on the server. However port forwarding to a unix socket is quite niche, and needs a recent version of SSH that isn’t available on our in house systems.

Port forwarding to an internal TCP socket is much more common. Is there anyway to enable the Docker daemon to bind to a port on localhost as described at dockerd | Docker Docs ?

This way we could use more a more standard SSH client (including Java ones) to do continuous deployment from our build system. This isn’t a security risk, because it would still require the private key to connect, same as for a named socket. The alternative would be to run a container that forwarded the TCP port to the socket, but that seems quite clunky, and I’m not even sure if it’s possible for this container to attach to localhost on the container that is running the ssh server.

2

I managed to get this to work using an Nginx container as a proxy. Generate TLS certs & keys as per the docker docs, then the Nginx config is:

user  root;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    
    server {
      listen 2376;
      ssl on;
      ssl_certificate /etc/nginx/certs/rw/server-cert.pem;
      ssl_certificate_key /etc/nginx/certs/rw/server-key.pem;
      ssl_client_certificate /etc/nginx/certs/rw/ca.pem;
      ssl_verify_client on;
      location / {
        proxy_pass http://unix:/var/run/docker.sock:/;
      }
    }
    
    server {
      listen 2377;
      ssl on;
      ssl_certificate /etc/nginx/certs/ro/server-cert.pem;
      ssl_certificate_key /etc/nginx/certs/ro/server-key.pem;
      ssl_client_certificate /etc/nginx/certs/ro/ca.pem;
      ssl_verify_client on;
      location / {
        limit_except GET {
          deny all;
        }
        proxy_pass http://unix:/var/run/docker.sock:/;  
        
      }
    }
    
    
    
}
Hook Docker for Azure up to Visual Studio Team Services