Search code examples
dockerdocker-machine

How to run Docker commands on remote Windows engine

I'm working on integrating Docker into our TeamCity build process so that I can create a task that runs a "docker build" to create an image from our code. Right now, all our build agents run on either Windows Server 2008 or Windows Server 2012, neither of which can run Docker. There's a chance we can get a license for one Windows Server 2016 build machine, but I'm wondering if there's a way to run Docker Engine on that machine while issuing docker commands from other build agents.

Here's what I've considered so far:

  • Docker Toolkit: This is a way to run Docker on legacy systems, but it spins up a local VirtualBox VM running Linux thus it can only run Linux containers. I need to be able to build and run Windows containers.
  • Docker Machine: This is a way to talk to a remote Docker engine. However, according to this open bug, it appears Docker Machine is only capable to talking to remote engines on Linux hosts due to security implementations; It's an old issue but I can't find any indication this limitation has been removed.
  • Docker itself uses a client/server architecture, but I couldn't find any documentation on how to talk to a remote engine without using something like Docker Machine.

Anything else I'm missing, or am I just pretty much out of luck unless we upgrade all our build agents to Windows 10 or Windows Server 2016?

Solution

  • You can start using the remote Windows Server 2016 instance from other build agents.

    Docker allows to expose the Docker Engine (aka Daemon) via tcp. In that case and especially when the host is publicly reachable you should consider configuring authentication using client/server certificates. Details can be found in the official documentation at https://docs.docker.com/engine/security/https/, but you may find the Windows Server specific article at https://stefanscherer.github.io/protecting-a-windows-2016-docker-engine-with-tls/ more helpful.

    Regarding your aspect of using a client to connect to a remote Docker Engine, please use the -H tls://<host>:<port> argument like described at https://docs.docker.com/engine/reference/commandline/cli/ (or see the example provided at https://stefanscherer.github.io/protecting-a-windows-2016-docker-engine-with-tls/#testtlsconnection).