Home/Insights/Networking

Troubleshooting RustRover Remote Docker Connections over SSH

Use this when RustRover cannot connect to a remote Docker host over SSH.

Quick Read

  • Symptom: Use this when RustRover cannot connect to a remote Docker host over SSH.
  • Check first: Confirm whether the failure is before SSH, during SSH authentication, during host key verification, or after SSH when Docker is queried.
  • Risk: Security-sensitive

Symptoms

RustRover cannot connect to a remote Docker host over SSH. The failure may appear during the RustRover Docker connection test, while opening the Docker tool window, or while RustRover tries to enumerate remote images, containers, or daemon metadata.

Environment

A local workstation running JetBrains RustRover is configured to use SSH transport to reach a Linux host where Docker is installed. The remote host runs an SSH server and a Docker daemon. The remote user must be able to authenticate over SSH and must have permission to access the Docker daemon, commonly through the Docker socket or an approved privileged workflow. This article does not cover SSH directly into a Docker container.

Most Likely Causes

Common failure domains are hostname resolution, blocked TCP access to the SSH port, wrong RustRover SSH settings, unsupported or misconfigured authentication, host key mismatch, expired or locked account, missing VPN or bastion routing, SSH server policy, Docker daemon stopped, remote user lacking Docker permissions, or RustRover not using the same SSH config or agent behavior as a terminal session.

What to Check First

  1. Confirm whether the failure is before SSH, during SSH authentication, during host key verification, or after SSH when Docker is queried.
  2. Resolve the remote hostname from the same client where RustRover fails.
  3. Test TCP reachability to the SSH port from the same client.
  4. Test terminal SSH using the same host, port, username, and authentication method intended for RustRover.
  5. Verify the SSH host key fingerprint before accepting new or changed host keys.
  6. After SSH succeeds, verify Docker daemon status and Docker CLI access for the same remote user.
  7. Check whether RustRover is using password, key file, SSH agent, OpenSSH config, ProxyJump, or another SSH configuration source.
  8. Compare a broken client against a known-good workstation, user account, SSH client, and RustRover profile when available.
  9. Review RustRover IDE logs, SSH server authentication logs, and Docker daemon logs in that order based on where the failure occurs.

Fix Steps

  1. Confirm the target is a remote Docker host, not a container

    Before collecting evidence, confirm with the requester that RustRover should talk to Docker on a remote host through SSH transport. Do not troubleshoot SSH inside a container under this article. Containers usually do not run SSH unless they were explicitly built and operated that way.

    Expected output:

    The incident scope states a remote Docker host name or IP address, SSH port, username, and authentication method. If the request instead says to log into a container by SSH, route it to a separate container access guide.

    Rollback or backout:

    No system changes are made.

  2. Capture RustRover connection settings and exact error

    In RustRover, open the Docker connection configuration and record the connection type, host, SSH port, username, authentication method, and whether RustRover is using IDE-managed credentials, an SSH key, SSH agent, or OpenSSH config. JetBrains UI paths vary by version and platform; commonly check Settings or Preferences, then Build, Execution, Deployment, then Docker, then add or edit a Docker connection using SSH. Use the Test Connection action if available. This UI workflow must be validated against the RustRover version in use before removing command-review-needed.

    Expected output:

    A useful capture includes the exact RustRover error text and timestamp, whether Test Connection fails before authentication or after Docker access, the configured host, port, username, and authentication type. Do not capture passwords, private key contents, passphrases, or tokens.

    Rollback or backout:

    If you change RustRover settings during testing, revert to the previously captured values or restore the previous IDE settings/profile backup.

  3. Check client-side name resolution

    Run this from the same workstation where RustRover fails. This is a read-only check. Use the exact hostname configured in RustRover, not a shortened or alternate name unless that is what RustRover uses.

    Example pattern only. Adjust for your environment before running.

    [object Object]
  4. Check TCP reachability to the SSH port from the client

    Run a platform-appropriate port test from the same workstation where RustRover fails. This does not authenticate to SSH, but it can still create network telemetry. Replace 22 if the remote host uses a non-default SSH port.

    Example pattern only. Adjust for your environment before running.

    [object Object]
[object Object]
  5. Test terminal SSH with the same connection details

    Use the same hostname, port, username, and authentication method intended for RustRover. This is security-sensitive because failed attempts may count toward lockout and create audit events. Stop after a small number of failures according to your identity policy.

    Example pattern only. Adjust for your environment before running.

    [object Object]
  6. Collect client-side SSH error detail when terminal SSH fails

    Use verbose SSH only when needed. The output may reveal usernames, hostnames, key paths, proxy hosts, and authentication methods. Sanitize before attaching to a ticket and never include private key material, passwords, passphrases, or tokens.

    Example pattern only. Adjust for your environment before running.

    [object Object]
  7. Verify the SSH service status on the remote host

    Run this only after you have a valid SSH path or through an approved remote console. Service names vary by distribution. Debian and Ubuntu commonly use ssh.service; RHEL-like systems commonly use sshd.service. These commands are read-only but may require privileges depending on system policy.

    Example pattern only. Adjust for your environment before running.

    [object Object]
[object Object]
  8. Verify remote Docker daemon status

    Run this after SSH succeeds. This separates SSH transport failures from Docker daemon failures. The command is read-only, but Docker service visibility can require local permissions.

    Example pattern only. Adjust for your environment before running.

    [object Object]
  9. Verify the remote user can run a non-destructive Docker command

    Use the same remote user that RustRover uses. This checks whether SSH login is enough to access the Docker daemon. Do not add the user to the docker group from this guide; that is a security-sensitive privilege change and often equivalent to root-level control on the host.

    Example pattern only. Adjust for your environment before running.

    [object Object]
[object Object]
[object Object]
  10. Check host firewall policy only if authorized

    Use these checks only with approval because they invoke sudo and expose firewall policy. The effective path may also include cloud security groups, network ACLs, load balancers, VPN policy, endpoint security, or upstream firewalls that are not visible from the host. These commands list policy only; they do not change rules.

    Example pattern only. Adjust for your environment before running.

    [object Object]
[object Object]
[object Object]
[object Object]
  11. Compare RustRover settings with a working path

    When terminal SSH works but RustRover fails, compare exactly what RustRover uses versus a known-good terminal or workstation. Pay special attention to whether RustRover reads OpenSSH config, uses a key file directly, uses an SSH agent, handles passphrases, supports the required bastion or ProxyJump path, and trusts the same host key.

    Expected output:

    A useful comparison identifies one difference at a time: different hostname or DNS suffix, different port, different username, different key, password auth disabled, missing SSH agent key, unsupported ProxyJump path, different VPN state, stale known_hosts entry, or Docker permission difference for the remote user.

    Rollback or backout:

    Revert any RustRover profile or connection setting changed during comparison to the captured baseline if it does not resolve the issue.

  12. Review RustRover and server logs around the same timestamp

    Correlate the RustRover failure timestamp with server-side SSH and Docker logs. RustRover IDE logs are the first place to look when terminal SSH works but the IDE fails. SSH server logs are primary for authentication, host key, and session setup failures. Docker daemon logs matter after SSH succeeds but Docker access fails.

    Example pattern only. Adjust for your environment before running.

    [object Object]
[object Object]

Validation

  • RustRover Docker connection test succeeds using the intended remote host, SSH port, username, and authentication method. Record the success timestamp and the exact UI result. Because RustRover-specific wording varies, verify the expected success message against the deployed version.
  • Terminal SSH succeeds with the same host, port, and user used by RustRover.
  • The same remote user can run a non-destructive Docker command such as docker version or docker ps without an interactive sudo prompt.
  • RustRover can enumerate the remote Docker daemon, images, or containers after the connection test. An empty container list is acceptable if the Docker host has no running containers.
  • Restart RustRover or reopen the project and confirm the connection still works if credentials, SSH config, SSH agent state, or IDE settings were changed.
  • Confirm there are no continuing host key warnings, repeated failed logins, account lockouts, fail2ban blocks, or security alerts related to the troubleshooting session.

Logs to Check

  • RustRover IDE log from the JetBrains menu path Help > Show Log in Files/Finder/Explorer. Inspect the current IDE log file shown by the UI, commonly idea.log in JetBrains IDEs, around the connection-test timestamp. Verify exact log naming for the RustRover version in use.
  • Client-side SSH verbose output from ssh -vvv when terminal SSH fails. Sanitize hostnames, usernames, key paths, and proxy details before sharing. Never include passwords, private keys, passphrases, or tokens.
  • Linux SSH server logs through journalctl for ssh.service or sshd.service. On Debian/Ubuntu-style systems also check /var/log/auth.log when journald is not the source of truth. On RHEL-like systems also check /var/log/secure when applicable.
  • Docker daemon logs through journalctl -u docker or the platform-specific Docker service log, but prioritize these only after SSH succeeds and Docker API access fails.
  • Host firewall logs, cloud security group flow logs, network ACL logs, VPN logs, bastion logs, or endpoint security logs when TCP reachability fails or the SSH server records no attempt.
  • Identity provider, PAM, sudo, fail2ban, and security monitoring logs when repeated authentication failures, lockouts, MFA prompts, or policy denials are suspected.

Rollback and Escalation

  • The commands in this rewritten runbook are intended to be observational. They do not modify Docker, SSH, firewall, or system service configuration.
  • If RustRover connection settings are changed during testing, revert them to the captured baseline: host, port, username, authentication method, key path, SSH config source, and Docker connection profile.
  • If a known_hosts entry is suspected, do not remove or replace it until the host key fingerprint is verified through an approved channel. If you changed known_hosts, restore the previous file from backup or versioned endpoint management after validating host identity.
  • If anyone made out-of-band changes such as firewall rules, sshd_config edits, Docker daemon changes, sudoers edits, or docker-group membership changes, roll back using that change ticket and host-specific backup. This article intentionally does not provide those remediation commands.
  • If sudo authentication timestamps were created during checks, no functional rollback is normally required, but be aware the activity may remain in audit logs.

Escalate When

  • Stop and escalate to the identity or security team after repeated Permission denied results, account lockout warnings, unexpected MFA prompts, or evidence of fail2ban/security blocking.
  • Stop and escalate to the host owner or security team on any host key mismatch. Do not bypass host key checking until the fingerprint is verified.
  • Escalate to the network, VPN, cloud, or firewall owner when TCP reachability fails and the SSH server logs show no attempt.
  • Escalate to the Linux platform owner when ssh.service or sshd.service is inactive, failed, missing, or listening on an unexpected interface or port.
  • Escalate to the Docker platform owner when SSH works but docker version or docker ps fails due to daemon outage, socket permission, or approved access model questions.
  • Escalate to the JetBrains/RustRover owner or vendor support when terminal SSH and remote Docker CLI both work with the same user but RustRover still fails, especially if IDE logs indicate plugin, credential store, SSH agent, or SSH config parsing behavior.
  • Escalate before making any production firewall, sudoers, sshd_config, Docker daemon, or group membership change without a reviewed change plan and rollback.

Edge Cases

  • RustRover may not use the same SSH configuration, SSH agent, key selection, ProxyJump, or known_hosts behavior as the terminal depending on IDE settings and version.
  • Password authentication may be disabled on the server even when public key authentication works.
  • A user added to the docker group can often control the Docker daemon with high privilege. Treat Docker access grants as security-sensitive, not as a routine convenience fix.
  • Interactive sudo may work in a terminal but fail in an IDE integration if RustRover expects non-interactive Docker access.
  • iptables output may not represent effective firewall policy on hosts using nftables, firewalld, ufw, cloud security groups, endpoint security, or upstream firewalls.
  • A client connected to VPN with split tunneling may resolve or route differently than another workstation.
  • Bastion hosts and ProxyJump settings can work in OpenSSH while failing in an IDE if the IDE is not configured to use the same SSH config path or agent.
  • No running containers is not a failure by itself. Docker access is validated by the ability to query the daemon, not by the presence of active containers.
  • Containers normally do not provide SSH access unless specifically designed to do so. Do not conflate remote Docker-over-SSH with container SSH.

Notes from the Field

  • Work left to right: DNS, TCP, SSH authentication, host key, remote Docker daemon, Docker permission, then RustRover-specific behavior. Do not start by changing server config.
  • Use the exact same tuple everywhere: hostname, port, username, authentication method, VPN state, and bastion path. Most false leads come from testing a different path than the IDE uses.
  • Do not paste secrets into incident notes. Redact private paths and internal hostnames when logs leave the operations boundary.
  • A successful SSH shell only proves login. RustRover still needs the remote user to access Docker in the way the IDE expects.
  • For one affected developer, compare against a known-good developer or workstation before changing the remote host. Single-client failures are often credential store, SSH agent, known_hosts, VPN, or IDE profile issues.
  • If production access is involved, collect evidence first and change nothing until the owning team approves the remediation.