Sometimes you need to manage Docker not only through the local docker command, but also remotely — using the API. In this article, we will figure out how to enable access to the Docker API, what connection methods exist, and how to ensure connection security.
By default, the Docker API is only available via a socket. After installing Docker, containers are managed via a Unix socket /var/run/docker.sock. This is a local method, and it does not allow you to connect over the network. If you try to send an HTTP request to localhost:2375, you will get a connection error:
curl http://localhost:2375/version
# curl: (7) Failed to connect to localhost port 2375: Connection refused To use the API remotely, you need to change the Docker configuration.
Methods of accessing the Docker API
Docker can accept connections via:
- Unix socket (/var/run/docker.sock) — default.
- TCP socket without TLS (e.g. tcp://0.0.0.0:2375) — open access, NOT recommended.
- TCP socket with TLS (e.g. tcp://0.0.0.0:2376) — secure method.
Configuring the Docker API via configuration files. First, you need to change the Docker service startup parameters. Create or edit the file:
nano /etc/docker/daemon.json Add or edit the contents:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
} Since Docker does not prevent configuration collisions, we will remove the systemd startup arguments, bring it to the form shown in the screenshot:
nano /lib/systemd/system/docker.service
Please note that port 2375 is used without encryption. Use it only in a test environment or with a firewall, as the Docker API does not initially provide authentication mechanisms that would allow validating users. Due to this misconfiguration, over 16 thousand machines may be infected now:
Apply the changes and restart Docker:
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart dockerCheck API availability:
curl http://localhost:2375/version
How to connect to the API from another computer
On the client machine, you can use:
export DOCKER_HOST=tcp://SERVER_IP:2375
docker psIf the connection is not established, make sure that:
- The server is listening on port 2375 (ss -tuln | grep 2375)
- The port is open in the firewall (ufw allow 2375/tcp)
- Docker is indeed running with the required -H flag
- The safe option is TLS
- Generating SSL certificates
For secure network access, use TLS. Specify the paths to the certificates when starting Docker:
dockerd \
-H=unix:///var/run/docker.sock \
-H=0.0.0.0:2376 \
--tlsverify \
--tlscacert=/etc/docker/ssl/ca.pem \
--tlscert=/etc/docker/ssl/server-cert.pem \
--tlskey=/etc/docker/ssl/server-key.pem What to do if the API does not work
1. Docker is not listening on the TCP port. Check the startup arguments:
ps aux | grep dockerdMake sure there is a flag -H tcp://0.0.0.0:2375.
2. The port is blocked. Check your firewall:
sudo ufw allow 2375/tcp3. SELinux or AppArmor is blocking the connection
On systems with SELinux or AppArmor, additional permissions may be required.
The Docker API is a powerful tool for managing containers, but it requires careful configuration. Never open port 2375 to a public network without protection. It is better to use TLS or proxy via a secure reverse-proxy (for example, Nginx with HTTPS).
