Protect the Docker daemon socket
Current installations expose the Docker daemon socket over plain TCP, by
DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://<host-ip>:2375"
in
/etc/default/docker
.
To activate TLS you need the CA certificate of the client certificates, and certificate and private key used by the server.
All clients can use the same client certificate. To also be able to use the same certificate for all servers you have to deactivate server verification
by the client.
- Otherwise you have to create an individual certificate containing the host name and IPs for each docker host (e.g.):
$ ssh j4care@dockertest-ng.lan.j4care.com $ cd certs $ openssl genrsa -out archive1-key.pem 4096 Generating RSA private key, 4096 bit long modulus ..................................................................................................++ ................................................................................................++ e is 65537 (0x10001) $ openssl req -subj "/CN=archive1" -sha256 -new -key archive1-key.pem -out archive1.csr $ echo subjectAltName = DNS:archive1.lan.j4care.com,IP:192.168.2.169,IP:192.168.100.245,IP:127.0.0.1 > extfile.cnf $ openssl x509 -req -days 3650 -sha256 -in archive1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out archive1-cert.pem -extfile extfile.cnf Signature ok subject=/CN=archive1 Getting CA Private Key Enter pass phrase for ca-key.pem: $ exit
- Copy CA certificate and server certificate and private key from dockertest-ng.lan.j4care.com to the docker host:
$ sudo su # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-cert.pem /etc/docker/server-cert.pem # scp j4care@dockertest-ng.lan.j4care.com:certs/archive1-key.pem /etc/docker/server-key.pem
If you do not want to create an individual certificate for the docker host, you may use the certificate and key of dockertest-ng.lan.j4care.com:
$ sudo su # scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem /etc/docker/ca.pem # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.crt /etc/docker/server-cert.pem # scp j4care@dockertest-ng.lan.j4care.com:certs/domain.key /etc/docker/server-key.pem
- Change DOCKER_OPTS in
/etc/default/docker
:
DOCKER_OPTS="-H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376"
- Restart the docker-engine
# sudo service docker restart
- Copy CA certificate and client certificate and private key from dockertest-ng.lan.j4care.com into
.docker/
in the home directory of the user which run the docker client:$ scp j4care@dockertest-ng.lan.j4care.com:certs/ca.pem $HOME/.docker/ca.pem $ scp j4care@dockertest-ng.lan.j4care.com:certs/cert.pem $HOME/.docker/cert.pem $ scp j4care@dockertest-ng.lan.j4care.com:certs/key.pem $HOME/.docker/key.pem
- Test connection via TLS
$ docker --tls -H tcp://archive1.lan.j4care.com:2376 version Client: Version: 1.11.1 API version: 1.23 Go version: go1.5.4 Git commit: 5604cbe Built: Tue Apr 26 23:30:23 2016 OS/Arch: linux/amd64 Server: Version: 1.11.1 API version: 1.23 Go version: go1.5.4 Git commit: 5604cbe Built: Tue Apr 26 23:30:23 2016 OS/Arch: linux/amd64
or with server verification:
$ docker --tlsverify -H tcp://archive1.lan.j4care.com:2376 version :
- Using maestro you have to activate TLS in the ships configuration, e.g.:
ships: archive1: ip: 192.168.100.245 endpoint: archive1.lan.j4care.com docker_port: 2376 tls: true tls_verify: true tls_ca_cert: /home/j4care/.docker/ca.pem tls_key: /home/j4care/.docker/key.pem tls_cert: /home/j4care/.docker/cert.pem
Deactivating server verification by removingtls_verify
andtls_ca_cert
from the ship configuration works, but generates warnings in Maestro’s output
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)
- Using
docker-compose
:
$ docker-compose --tlsverify --skip-hostname-check \ --tlscacert=$HOME/.docker/ca.pem \ --tlscert=$HOME/.docker/cert.pem \ --tlskey=$HOME/.docker/key.pem \ -H tcp://archive1.lan.j4care.com:2376 ...
or with server verification:
$ docker-compose --tlsverify \ --tlscacert=$HOME/.docker/ca.pem \ --tlscert=$HOME/.docker/cert.pem \ --tlskey=$HOME/.docker/key.pem \ -H tcp://archive1.lan.j4care.com:2376 ...