Protect the Docker daemon socket

Current installations expose the Docker daemon socket over plain TCP, by

DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://<host-ip>:2375" 

in /etc/default/docker.

To activate TLS you need the CA certificate of the client certificates, and certificate and private key used by the server.

All clients can use the same client certificate. To also be able to use the same certificate for all servers you have to deactivate server verification
by the client.

1. Otherwise you have to create an individual certificate containing the host name and IPs for each docker host (e.g.):
   

   $ ssh j4care@dockertest-ng.lan.j4care.com
   $ cd certs
   $ openssl genrsa -out archive1-key.pem 4096
   Generating RSA private key, 4096 bit long modulus
   ..................................................................................................++
   ................................................................................................++
   e is 65537 (0x10001)
   $ openssl req -subj "/CN=archive1" -sha256 -new -key archive1-key.pem -out archive1.csr
   $ echo subjectAltName = DNS:archive1.lan.j4care.com,IP:192.168.2.169,IP:192.168.100.245,IP:127.0.0.1 > extfile.cnf
   $ openssl x509 -req -days 3650 -sha256 -in archive1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out archive1-cert.pem -extfile extfile.cnf
   Signature ok
   subject=/CN=archive1
   Getting CA Private Key
   Enter pass phrase for ca-key.pem:
   $ exit
   

2. Copy CA certificate and server certificate and private key from dockertest-ng.lan.j4care.com to the docker host:
   

   $ sudo su
   # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem
   # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-cert.pem /etc/docker/server-cert.pem
   # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-key.pem /etc/docker/server-key.pem
   

   
   If you do not want to create an individual certificate for the docker host, you may use the certificate and key of dockertest-ng.lan.j4care.com:
   

   $ sudo su
   # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem
   # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.crt /etc/docker/server-cert.pem
   # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.key /etc/docker/server-key.pem
   

3. Change DOCKER_OPTS in /etc/default/docker:
   

   DOCKER_OPTS="-H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376" 
   

4. Restart the docker-engine
   

     # sudo service docker restart
   

5. Copy CA certificate and client certificate and private key from dockertest-ng.lan.j4care.com into .docker/ in the home directory of the user which run the docker client:
   

   $ scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem $HOME/.docker/ca.pem
   $ scp j4care@dockertest-ng.lan.j4care.com:certs/cert.pem $HOME/.docker/cert.pem
   $ scp j4care@dockertest-ng.lan.j4care.com:certs/key.pem $HOME/.docker/key.pem
   

6. Test connection via TLS
   

   $ docker --tls -H tcp://archive1.lan.j4care.com:2376 version
   Client:
    Version:      1.11.1
    API version:  1.23
    Go version:   go1.5.4
    Git commit:   5604cbe
    Built:        Tue Apr 26 23:30:23 2016
    OS/Arch:      linux/amd64
   
   Server:
    Version:      1.11.1
    API version:  1.23
    Go version:   go1.5.4
    Git commit:   5604cbe
    Built:        Tue Apr 26 23:30:23 2016
    OS/Arch:      linux/amd64
   

   
   or with server verification:
   

   $ docker --tlsverify -H tcp://archive1.lan.j4care.com:2376 version
   :
   

7. Using maestro you have to activate TLS in the ships configuration, e.g.:
   

     ships:
       archive1:
           ip: 192.168.100.245
           endpoint: archive1.lan.j4care.com
           docker_port: 2376
           tls: true
           tls_verify: true
           tls_ca_cert: /home/j4care/.docker/ca.pem
           tls_key: /home/j4care/.docker/key.pem
           tls_cert: /home/j4care/.docker/cert.pem
     

   
   Deactivating server verification by removing tls_verify and tls_ca_cert from the ship configuration works, but generates warnings in Maestro’s output
   

   /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
     InsecureRequestWarning)
     

8. Using docker-compose:
   

   $ docker-compose --tlsverify --skip-hostname-check \
       --tlscacert=$HOME/.docker/ca.pem \
       --tlscert=$HOME/.docker/cert.pem \
       --tlskey=$HOME/.docker/key.pem \
       -H tcp://archive1.lan.j4care.com:2376 ...
   

   
   or with server verification:
   

   $ docker-compose --tlsverify \
       --tlscacert=$HOME/.docker/ca.pem \
       --tlscert=$HOME/.docker/cert.pem \
       --tlskey=$HOME/.docker/key.pem \
       -H tcp://archive1.lan.j4care.com:2376 ...
   

s. https://docs.docker.com/engine/security/https/