I already have a VPN setup for secure access to my EC2 hosts, and your requirement to use an SSH tunnel on top of that is a big burden to adopting Docker for AWS on my team. We’ve already covered securing our connections to AWS, please let us access the Docker remote API directly?
You can use socat in a container to forward the docker daemon socket to a tcp port. Here’s a sketch using
docker run -p 2376:2376 -d -v /var/run/docker.sock:/var/run/docker.sock verb/socat:alpine TCP-LISTEN:2376,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock
You have to be extremely careful when doing this, to avoid exposing un-authenticated Docker daemon endpoints on the public internet. In particular, if you used the above with
docker service create, the 2376 port could be auto-configured by the Docker for AWS loadbalancer integration. You would want to run any service in
global mode and confined to manager nodes and ensuring that the port is exposed to the internet.