This module contains a docker-java transport, which supports ssh protocol. Since the PR #1440 was not accepted, the same code is released here as independant package. Also see #1130 for the original feature request.
The module uses a fork of jsch as java ssh implementation and okhttp as httpclient.
While native docker cli supports ssh connections since Host docker version 18.09 1, with different options it is possible to make it work for older versions. This library opens the ssh connection and then forwards the docker daemon socket to make it available to the http client.
The default ssh connection configuration relies on basic ssh config file in ~/.ssh/config.
Its basically the same as described at getting_started from docker-java.
Once you have set up public key authentication and DOCKER_HOST
you can
try(final JschDockerHttpClient httpClient=new JschDockerHttpClient.Builder()
.connectTimeout(Duration.ofSeconds(20))
.readTimeout(Duration.ofSeconds(20))
.sslConfig(config.getSSLConfig())
.dockerHost(config.getDockerHost())
.build()
){
...
}
By setting flags in the builder, one can control how the connection is made.
- docker system dial-stdio (default)
- direct-streamlocal
.useSocket()
or.useSocket("/my/path/to/docker.socket")
- direct-tcpip
.useTcp()
or.useTcp(8765)
- socat
.useSocat()
or.useSocat("/my/path/to/docker.socket")
The SSH authentication relies on the Jsch
mechanisms.
Configuration-guidance:
-
Password:
JschDockerHttpClient.Builder() ... .userInfo(new com.jcraft.jsch.UserInfo(){ ... }) .build();
-
SSH-Agent:
- *nix:
- use java 16 and above or add junixsocket to the classpath
IdentityRepository identityRepository = new AgentIdentityRepository(new SSHAgentConnector()); new JschDockerHttpClient.Builder() ... .identityRepository(identityRepository) .build();
- Windows with Pageant:
- add dependency: put jna-platform into the classpath
IdentityRepository identityRepository = new AgentIdentityRepository(new PageantConnector()); new JschDockerHttpClient.Builder() ... .identityRepository(identityRepository) .build();
- *nix:
reuse of integrations-tests from a docker-java by applying patches.
Always make sure, that you have set up a Docker Host available via ssh and that the host is set in DOCKER_HOST
environment variable and that the ssh config to this host is setup in ~/ssh/config
. (compare to what is done in CI environment
in setup_ssh_config.sh).
For example in Github Codespaces as of 06/2023, the ssh port is 2222, not 22.
example maven command: DOCKER_HOST=ssh://junit-host mvn verify -Dit.test=JschDockerHttpClientIT
On the remote host, one can connect to the docker daemon in several ways:
docker system dial-stdio
unix:///var/run/docker.sock
(default on linux) https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-optionnpipe:////./pipe/docker_engine
(default on Windows) https://docs.docker.com/docker-for-windows/faqs/#how-do-i-connect-to-the-remote-docker-engine-apiunix:///var/run/docker.sock
(default on macos) https://docs.docker.com/docker-for-mac/faqs/#how-do-i-connect-to-the-remote-docker-engine-api- tcp 2375
- tcp with TLS
windows
Since forwarding socket of windows host is not supported, there is the workaround of starting socat to forward the docker socket to a local tcp port.
Compare OpenSSH tickets:
[1] docker ssh support docker/cli#1014