meets

Protect the Docker daemon socket

Current installations expose the Docker daemon socket over plain TCP, by

DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://<host-ip>:2375" 

in /etc/default/docker.

To activate TLS you need the CA certificate of the client certificates, and certificate and private key used by the server.

All clients can use the same client certificate. To also be able to use the same certificate for all servers you have to deactivate server verification
by the client.

  1. Otherwise you have to create an individual certificate containing the host name and IPs for each docker host (e.g.):
    $ ssh j4care@dockertest-ng.lan.j4care.com
    $ cd certs
    $ openssl genrsa -out archive1-key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    ..................................................................................................++
    ................................................................................................++
    e is 65537 (0x10001)
    $ openssl req -subj "/CN=archive1" -sha256 -new -key archive1-key.pem -out archive1.csr
    $ echo subjectAltName = DNS:archive1.lan.j4care.com,IP:192.168.2.169,IP:192.168.100.245,IP:127.0.0.1 > extfile.cnf
    $ openssl x509 -req -days 3650 -sha256 -in archive1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out archive1-cert.pem -extfile extfile.cnf
    Signature ok
    subject=/CN=archive1
    Getting CA Private Key
    Enter pass phrase for ca-key.pem:
    $ exit
    
  2. Copy CA certificate and server certificate and private key from dockertest-ng.lan.j4care.com to the docker host:
    $ sudo su
    # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem
    # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-cert.pem /etc/docker/server-cert.pem
    # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-key.pem /etc/docker/server-key.pem
    

    If you do not want to create an individual certificate for the docker host, you may use the certificate and key of dockertest-ng.lan.j4care.com:
    $ sudo su
    # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem
    # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.crt /etc/docker/server-cert.pem
    # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.key /etc/docker/server-key.pem
    
  3. Change DOCKER_OPTS in /etc/default/docker:
    DOCKER_OPTS="-H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376" 
    
  4. Restart the docker-engine
      # sudo service docker restart
    
  5. Copy CA certificate and client certificate and private key from dockertest-ng.lan.j4care.com into .docker/ in the home directory of the user which run the docker client:
    $ scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem $HOME/.docker/ca.pem
    $ scp j4care@dockertest-ng.lan.j4care.com:certs/cert.pem $HOME/.docker/cert.pem
    $ scp j4care@dockertest-ng.lan.j4care.com:certs/key.pem $HOME/.docker/key.pem
    
  6. Test connection via TLS
    $ docker --tls -H tcp://archive1.lan.j4care.com:2376 version
    Client:
     Version:      1.11.1
     API version:  1.23
     Go version:   go1.5.4
     Git commit:   5604cbe
     Built:        Tue Apr 26 23:30:23 2016
     OS/Arch:      linux/amd64
    
    Server:
     Version:      1.11.1
     API version:  1.23
     Go version:   go1.5.4
     Git commit:   5604cbe
     Built:        Tue Apr 26 23:30:23 2016
     OS/Arch:      linux/amd64
    

    or with server verification:
    $ docker --tlsverify -H tcp://archive1.lan.j4care.com:2376 version
    :
    
  7. Using maestro you have to activate TLS in the ships configuration, e.g.:
      ships:
        archive1:
            ip: 192.168.100.245
            endpoint: archive1.lan.j4care.com
            docker_port: 2376
            tls: true
            tls_verify: true
            tls_ca_cert: /home/j4care/.docker/ca.pem
            tls_key: /home/j4care/.docker/key.pem
            tls_cert: /home/j4care/.docker/cert.pem
      

    Deactivating server verification by removing tls_verify and tls_ca_cert from the ship configuration works, but generates warnings in Maestro’s output
    /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
      InsecureRequestWarning)
      
  8. Using docker-compose:
    $ docker-compose --tlsverify --skip-hostname-check \
        --tlscacert=$HOME/.docker/ca.pem \
        --tlscert=$HOME/.docker/cert.pem \
        --tlskey=$HOME/.docker/key.pem \
        -H tcp://archive1.lan.j4care.com:2376 ...
    

    or with server verification:
    $ docker-compose --tlsverify \
        --tlscacert=$HOME/.docker/ca.pem \
        --tlscert=$HOME/.docker/cert.pem \
        --tlskey=$HOME/.docker/key.pem \
        -H tcp://archive1.lan.j4care.com:2376 ...
    

s. https://docs.docker.com/engine/security/https/