everything as
sudo su
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr
Make sure to change IP
echo subjectAltName = DNS:$HOSTNAME,IP:192.168.26.244,IP:127.0.0.1 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
dockerd --tlsverify --tlscacert=/usr/lib/docker/ca.pem --tlscert=/usr/lib/docker/server-cert.pem --tlskey=/usr/lib/docker/server-key.pem -H=0.0.0.0:2376
- create daemon.json: put file at /etc/docker/daemon.json (see server\etc-docker-daemon.json)
- update /lib/systemd/system/docker.service to change this line: ExecStart=/usr/bin/dockerd -H fd:// to
ExecStart=/usr/bin/dockerd
- Reload service configurations
systemctl daemon-reload
- Start Docker service
systemctl start docker
- Check status of docker service
systemctl status docker
- Same as last command but now wraps long lines instead of truncating them
systemctl -l --no-page status docker
copy ca.pem, server-cert.pem, and cert.pem from the server to the client machine
Change the IP and cert path
export DOCKER_HOST=tcp://192.168.26.244:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/home/osboxes/244
docker image list