09.06.2025

How to set up access to Docker API?

Sometimes you need to manage Docker not only through the local docker command, but also remotely — using the API. In this article, we will figure out how to enable access to the Docker API, what connection methods exist, and how to ensure connection security.

Cloud Servers from $5 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel

By default, the Docker API is only available via a socket. After installing Docker, containers are managed via a Unix socket /var/run/docker.sock. This is a local method, and it does not allow you to connect over the network. If you try to send an HTTP request to localhost:2375, you will get a connection error:

curl http://localhost:2375/version
# curl: (7) Failed to connect to localhost port 2375: Connection refused

To use the API remotely, you need to change the Docker configuration.

Methods of accessing the Docker API

Docker can accept connections via:

Unix socket (/var/run/docker.sock) — default.
TCP socket without TLS (e.g. tcp://0.0.0.0:2375) — open access, NOT recommended.
TCP socket with TLS (e.g. tcp://0.0.0.0:2376) — secure method.

Configuring the Docker API via configuration files. First, you need to change the Docker service startup parameters. Create or edit the file:

nano /etc/docker/daemon.json

Add or edit the contents:

{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
}

Since Docker does not prevent configuration collisions, we will remove the systemd startup arguments, bring it to the form shown in the screenshot:

nano /lib/systemd/system/docker.service

Screenshot № 1 — Systemd

Please note that port 2375 is used without encryption. Use it only in a test environment or with a firewall, as the Docker API does not initially provide authentication mechanisms that would allow validating users. Due to this misconfiguration, over 16 thousand machines may be infected now:

Screenshot № 2 — Shodan

Apply the changes and restart Docker:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart docker

Check API availability:

curl http://localhost:2375/version

Screenshot № 3 — Client connection

How to connect to the API from another computer

On the client machine, you can use:

export DOCKER_HOST=tcp://SERVER_IP:2375
docker ps

If the connection is not established, make sure that:

The server is listening on port 2375 (ss -tuln | grep 2375)
The port is open in the firewall (ufw allow 2375/tcp)
Docker is indeed running with the required -H flag
The safe option is TLS
Generating SSL certificates

For secure network access, use TLS. Specify the paths to the certificates when starting Docker:

dockerd \
-H=unix:///var/run/docker.sock \
-H=0.0.0.0:2376 \
--tlsverify \
--tlscacert=/etc/docker/ssl/ca.pem \
--tlscert=/etc/docker/ssl/server-cert.pem \
--tlskey=/etc/docker/ssl/server-key.pem

What to do if the API does not work

1. Docker is not listening on the TCP port. Check the startup arguments:

ps aux | grep dockerd

Make sure there is a flag -H tcp://0.0.0.0:2375.

2. The port is blocked. Check your firewall:

sudo ufw allow 2375/tcp

3. SELinux or AppArmor is blocking the connection
On systems with SELinux or AppArmor, additional permissions may be required.

The Docker API is a powerful tool for managing containers, but it requires careful configuration. Never open port 2375 to a public network without protection. It is better to use TLS or proxy via a secure reverse-proxy (for example, Nginx with HTTPS).