I'm in a situation where I'd like to access a docker installation on a different network with a local Portainer UI. I've looked at the documentation for exposing the docker API over TCP and how to secure it. Also found this answer incredibly helpful.
From there, I've decided to go the SSH route but a little more manually. I've forwarded the remote docker socket to a local tcp port so that I can secure the connection but also not scratch my head over TLS (I've tried that as well but haven't had much luck. Might be the same issue).
ssh -R 127.0.0.1:3306:/var/run/docker.sock administrator@IP
and have been able to prove that the connection works with
docker -H 127.0.0.1:3306 info
and get the infor from the remote host just fine.
However, when I try to configure Portainer with a new Endpoint and select the Docker API option with the Endpoint URL of 127.0.0.1:3306, I simply get an error:
Failure: Unable to initiate communications with endpoint.
Is there addidtional permissions I need to give to the Portainer container to access local connections? I've also tried exposing the endpoint without TLS via the standard daemon configuration and the machine is listening to the open port but still no luck with Portainer.
Any recommendations or points in the right direction for where to go from here?
Best Answer
After checking out this issue, Portainer does not support SSH connections to the docker daemon. They plan to in the future but it is not currently on the top of their features list.
After double checking my .json config file and ensuring to open up traffic to 0.0.0.0 instead of 127.0.0.1, I was able to connect to it with Portainer. Then double checking how to configure both client/server verification with TLS, I think this will suffice.
I'm not sure why forwarding ports over SSH and trying to connect to the local 127.0.0.1 address failed on Portainer though, it may have something to do with how docker networking is configured.
If anyone has a better solution for securely accessing a remote docker instance with a local Portainer install, please feel free to answer and it will most likely be accepted.
And yes, I also attempted to use the Edge Agent but I couldn't seem to get this working either at the time. Probably has something to do with my firewall.