https://hub.docker.com/u/armhf/
docker run -ti --rm armhf/ubuntu /usr/bin/env bash
https://docs.resin.io/runtime/resin-base-images/
docker run -ti --rm resin/rpi-raspbian:jessie /usr/bin/env bash
docker run -ti --rm resin/raspberrypi3-alpine-python /usr/bin/env bash
echo "overlay" | sudo tee -a /etc/modules
sudo modprobe overlay
curl -sSL get.docker.com | sh
To use as the pi user without sudo
:
sudo sh -c 'usermod -aG docker $SUDO_USER'
sudo systemctl restart docker
newgrp docker
Previous 'get.docker.com' command creates override file /etc/systemd/system/docker.service.d/overlay.conf
To make docker listen on the network:
sudo sed -e '${s%[[:blank:]]*$% -H tcp://0.0.0.0:2375%;}' -i /etc/systemd/system/docker.service.d/overlay.conf
sudo systemctl daemon-reload
sudo systemctl try-restart docker
sudo mkdir -pv /etc/docker/certs.d/{ca,server,client}
# CA: Private key and self-signed cert
sudo openssl req \
-nodes \
-keyout /etc/docker/certs.d/ca/ca-key.pem \
-newkey rsa:4096 \
-x509 \
-days 3650 \
-out /etc/docker/certs.d/ca/ca.pem \
-subj "/C=US/CN=$( hostname )"
# Server: Private key and CSR
sudo openssl req \
-new \
-newkey rsa:4096 \
-nodes \
-out /etc/docker/certs.d/server/server.csr \
-keyout /etc/docker/certs.d/server/server-key.pem \
-subj "/C=US/CN=$( hostname )"
# Server: Cert from CA with home network name and IPs as alt names
echo "subjectAltName = DNS:raspberrypi.home,$( for ip in $( ifconfig | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}' ); do echo -n "IP:$ip,"; done | sed 's/,$//' )" | sudo tee /etc/docker/certs.d/server/extfile.cnf
sudo openssl x509 \
-req \
-days 3650 \
-in /etc/docker/certs.d/server/server.csr \
-out /etc/docker/certs.d/server/server.pem \
-CA /etc/docker/certs.d/ca/ca.pem \
-CAkey /etc/docker/certs.d/ca/ca-key.pem \
-CAcreateserial \
-extfile /etc/docker/certs.d/server/extfile.cnf
sudo rm -v /etc/docker/certs.d/server/server.csr
sudo mv -v /etc/docker/certs.srl /etc/docker/certs.d/ca/ca.srl
# Workstation: Private key and CSR
sudo openssl req \
-new \
-newkey rsa:4096 \
-nodes \
-out /etc/docker/certs.d/client/cert.csr \
-keyout /etc/docker/certs.d/client/key.pem \
-subj "/C=US/CN=client"
# Workstation: Cert from CA; CN not as important b/c workstation docker will not be accepting connections
echo "extendedKeyUsage = clientAuth" | sudo tee /etc/docker/certs.d/client/extfile.cnf
sudo openssl x509 \
-req \
-days 3650 \
-in /etc/docker/certs.d/client/cert.csr \
-out /etc/docker/certs.d/client/cert.pem \
-CA /etc/docker/certs.d/ca/ca.pem \
-CAkey /etc/docker/certs.d/ca/ca-key.pem \
-CAserial /etc/docker/certs.d/ca/ca.srl \
-extfile /etc/docker/certs.d/client/extfile.cnf
sudo rm -v /etc/docker/certs.d/client/cert.csr
sudo find /etc/docker/certs.d/ -mindepth 1 -type f \( -name '*-key.pem' -o -name 'key.pem' \) -exec chmod -c a=,u=r {} \;
sudo sed -r -e 's%(tcp://0.0.0.0:237)5%\16%;' -e '${s%[[:blank:]]*$% --tlsverify --tlscacert=/etc/docker/certs.d/ca/ca.pem --tlscert=/etc/docker/certs.d/server/server.pem --tlskey=/etc/docker/certs.d/server/server-key.pem%;}' -i /etc/systemd/system/docker.service.d/overlay.conf
sudo systemctl daemon-reload
sudo systemctl try-restart docker
mkdir ~/tls/
sudo cp -av \
/etc/docker/certs.d/ca/ca.pem \
/etc/docker/certs.d/client/key.pem \
/etc/docker/certs.d/client/cert.pem \
~/tls/
sudo chown -cR "$(whoami):$(whoami)" ~/tls/
#From your workstation: scp -r pi@raspberrypi.home:tls ~/.docker