Skip to content

Instantly share code, notes, and snippets.

@digitaldrummerj

digitaldrummerj/secureUbuntuDockerSetup.md

Last active June 28, 2017 17:24
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save digitaldrummerj/202bad4381e0a42833e0fa6eefdcd190 to your computer and use it in GitHub Desktop.
Save digitaldrummerj/202bad4381e0a42833e0fa6eefdcd190 to your computer and use it in GitHub Desktop.
Download ZIP
Docker ubuntu for using docker as a remote host
Raw
secureUbuntuDockerSetup.md

For Ubuntu 16.04 LTS and Docker CE 17.x

everything as sudo su

Server

Generate Certs

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr

Make sure to change IP

echo subjectAltName = DNS:$HOSTNAME,IP:192.168.26.244,IP:127.0.0.1 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
dockerd --tlsverify --tlscacert=/usr/lib/docker/ca.pem --tlscert=/usr/lib/docker/server-cert.pem --tlskey=/usr/lib/docker/server-key.pem -H=0.0.0.0:2376

Setup Docker Daemon to run correctly

  1. create daemon.json: put file at /etc/docker/daemon.json (see server\etc-docker-daemon.json)
  2. update /lib/systemd/system/docker.service to change this line: ExecStart=/usr/bin/dockerd -H fd:// to
ExecStart=/usr/bin/dockerd
  1. Reload service configurations
systemctl daemon-reload
  1. Start Docker service
systemctl start docker
  1. Check status of docker service
systemctl status docker
  1. Same as last command but now wraps long lines instead of truncating them
systemctl -l --no-page status docker

Client

copy ca.pem, server-cert.pem, and cert.pem from the server to the client machine

Export Env Variables

Change the IP and cert path

export DOCKER_HOST=tcp://192.168.26.244:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/home/osboxes/244

docker image list
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment