The SSH tunnel is one of the most durable pieces of operational infrastructure in modern software development. Invented in 1995, still in daily use in 2026. In many organisations, SSH to a remote host followed by a docker pull and a restart command is still how production deployments happen.
There is no shame in this for teams at the right scale. It works. The cognitive overhead is low. For a team managing two or three servers, it is a perfectly reasonable approach that does not need to change.
The problem is that many DevOps teams have been managing increasingly complex container infrastructure with tooling designed for much simpler problems. The number of hosts has grown. Environments have become more heterogeneous – cloud, on-premises, edge, IoT. Teams have expanded and distributed. The informal knowledge that made SSH-based management workable at small scale has fragmented.
The SSH Problem at Scale
SSH-based container management has several failure modes that become increasingly costly as the fleet grows.
Deployments are inherently host-by-host. Even with scripts to automate the process, deploying to twenty hosts requires twenty SSH connections. When one host fails mid-deployment, understanding the complete state of the fleet requires checking each host individually – a process that takes time and is prone to missed details.
Credential management becomes a real burden. SSH keys need to be distributed, rotated, and revoked as team members join and leave. For a small team managing a handful of hosts, this is manageable with some discipline. For a larger team with more hosts in more environments, maintaining proper credential hygiene becomes a continuous operational tax.
Access is effectively binary. A team member either has SSH access to a host or they do not. Expressing more nuanced access control requires layering additional tooling on top of SSH, adding complexity that typically does not get maintained consistently over time.
Audit trails are limited. Knowing that someone SSH-ed into a host and ran some commands tells you relatively little about what actually changed and why. Reconstructing the full story of a deployment or incident from SSH history is possible but slow and unreliable. Replacing SSH and VPN for container deployments is about replacing an approach designed for individual host management with one designed from the ground up for fleet management.
What Modern Docker Fleet Management Actually Looks Like
The alternative to SSH-based management is an agent-based model. A lightweight agent runs on each host and maintains an outbound connection to a central management platform. Deployments, updates, and configuration changes are initiated from the platform and delivered to agents – without requiring inbound SSH access to any host.
This model addresses the SSH failure modes described above directly. Deployments target groups of hosts rather than individual machines. Credentials are managed at the platform level. Access control is policy-based and can express nuanced permissions without workarounds. Every operation is logged automatically, providing the audit trail that SSH history cannot.
The CI/CD Integration Question
Good fleet management platforms expose well-documented APIs that allow deployment triggers to be incorporated into existing pipeline tooling without significant disruption. The CI system builds and pushes the container image as it always has. The pipeline calls the fleet management API to initiate the deployment. The platform handles distribution to the target hosts, manages the rollout, and provides structured status reporting back to the pipeline.
The Edge Case That Changes the Calculation
For many DevOps teams, the argument for fleet management tooling becomes overwhelming when edge and IoT devices enter the infrastructure picture. The SSH-based approach that is merely suboptimal for cloud VMs becomes effectively impossible for edge devices deployed at remote locations, behind restrictive firewalls, or on networks where inbound connections simply are not feasible.
The same agent-based model that improves cloud VM management makes edge device management possible where it would otherwise require either physical access or VPN configurations of significant operational complexity. Daployi’s Docker fleet management for DevOps teams is built around this unified approach, handling both cloud and edge environments with the same operational model.