Skip to content

Instantly share code, notes, and snippets.

@alanivey
Last active November 30, 2016 23:12
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Docker on Raspbian

Docker

Using

https://hub.docker.com/u/armhf/

  • docker run -ti --rm armhf/ubuntu /usr/bin/env bash

https://docs.resin.io/runtime/resin-base-images/

  • docker run -ti --rm resin/rpi-raspbian:jessie /usr/bin/env bash
  • docker run -ti --rm resin/raspberrypi3-alpine-python /usr/bin/env bash

Install

echo "overlay" | sudo tee -a /etc/modules
sudo modprobe overlay
curl -sSL get.docker.com | sh

User

To use as the pi user without sudo:

sudo sh -c 'usermod -aG docker $SUDO_USER'
sudo systemctl restart docker
newgrp docker

Network

Previous 'get.docker.com' command creates override file /etc/systemd/system/docker.service.d/overlay.conf
To make docker listen on the network:

sudo sed -e '${s%[[:blank:]]*$% -H tcp://0.0.0.0:2375%;}' -i /etc/systemd/system/docker.service.d/overlay.conf
sudo systemctl daemon-reload
sudo systemctl try-restart docker

TLS

sudo mkdir -pv /etc/docker/certs.d/{ca,server,client}

# CA: Private key and self-signed cert
sudo openssl req \
  -nodes \
  -keyout /etc/docker/certs.d/ca/ca-key.pem \
  -newkey rsa:4096 \
  -x509 \
  -days 3650 \
  -out /etc/docker/certs.d/ca/ca.pem \
  -subj "/C=US/CN=$( hostname )"
# Server: Private key and CSR
sudo openssl req \
  -new \
  -newkey rsa:4096 \
  -nodes \
  -out /etc/docker/certs.d/server/server.csr \
  -keyout /etc/docker/certs.d/server/server-key.pem \
  -subj "/C=US/CN=$( hostname )"

# Server: Cert from CA with home network name and IPs as alt names
echo "subjectAltName = DNS:raspberrypi.home,$( for ip in $( ifconfig | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}' ); do echo -n "IP:$ip,"; done | sed 's/,$//' )" | sudo tee /etc/docker/certs.d/server/extfile.cnf
sudo openssl x509 \
  -req \
  -days 3650 \
  -in /etc/docker/certs.d/server/server.csr \
  -out /etc/docker/certs.d/server/server.pem \
  -CA /etc/docker/certs.d/ca/ca.pem \
  -CAkey /etc/docker/certs.d/ca/ca-key.pem \
  -CAcreateserial \
  -extfile /etc/docker/certs.d/server/extfile.cnf

sudo rm -v /etc/docker/certs.d/server/server.csr

sudo mv -v /etc/docker/certs.srl /etc/docker/certs.d/ca/ca.srl
# Workstation: Private key and CSR
sudo openssl req \
  -new \
  -newkey rsa:4096 \
  -nodes \
  -out /etc/docker/certs.d/client/cert.csr \
  -keyout /etc/docker/certs.d/client/key.pem \
  -subj "/C=US/CN=client"

# Workstation: Cert from CA; CN not as important b/c workstation docker will not be accepting connections
echo "extendedKeyUsage = clientAuth" | sudo tee /etc/docker/certs.d/client/extfile.cnf
sudo openssl x509 \
  -req \
  -days 3650 \
  -in /etc/docker/certs.d/client/cert.csr \
  -out /etc/docker/certs.d/client/cert.pem \
  -CA /etc/docker/certs.d/ca/ca.pem \
  -CAkey /etc/docker/certs.d/ca/ca-key.pem \
  -CAserial /etc/docker/certs.d/ca/ca.srl \
  -extfile /etc/docker/certs.d/client/extfile.cnf

sudo rm -v /etc/docker/certs.d/client/cert.csr
sudo find /etc/docker/certs.d/ -mindepth 1 -type f \( -name '*-key.pem' -o -name 'key.pem' \) -exec chmod -c a=,u=r {} \;

sudo sed -r -e 's%(tcp://0.0.0.0:237)5%\16%;' -e '${s%[[:blank:]]*$% --tlsverify --tlscacert=/etc/docker/certs.d/ca/ca.pem --tlscert=/etc/docker/certs.d/server/server.pem --tlskey=/etc/docker/certs.d/server/server-key.pem%;}' -i /etc/systemd/system/docker.service.d/overlay.conf
sudo systemctl daemon-reload
sudo systemctl try-restart docker
mkdir ~/tls/
sudo cp -av \
  /etc/docker/certs.d/ca/ca.pem \
  /etc/docker/certs.d/client/key.pem \
  /etc/docker/certs.d/client/cert.pem \
  ~/tls/
sudo chown -cR "$(whoami):$(whoami)" ~/tls/
#From your workstation: scp -r pi@raspberrypi.home:tls ~/.docker
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment