ianmiell/_secure_docker_connection.md

## _secure_docker_connection.md

      
    Raw
  

              _secure_docker_connection.md
            
          
    Based on this Docker article.
Run this script to generate signed server and client keys to create a secure connection to the Docker daemon running on your server.
Usage: secure_expose_docker.sh [host] [password]
The password isn't really important as you'll have direct access to the key files, but if you want you can keep track of it in case you want to use the generated keyfiles for something else in the future.
For host, use the domain of your server. You'll be connecting to this domain once the Docker daemon is set up.

  
## secure_expose_docker.sh
#!/bin/bash

if [ $# -lt 2 ]; then
        echo "Usage: $0 [domain to connect] [password]"
        exit 1
fi

set -e

red='\033[0;31m'
green='\033[0;32m'
orange='\033[0;33m'
blue='\033[0;34m'
nocolor='\033[0m'

if [ -d /etc/docker ] && [ -f /etc/docker/ca-key.pem ]; then
        echo -ne "${orange}Docker security config already exists: overwrite? [Y/n] ${nocolor}"
        read answer
        if [ "x${answer}" == "xn" ]; then exit; fi
fi

echo -e "${blue}Creating secure public connection for Docker daemon${nocolor}"

[ -d /etc/docker ] || sudo mkdir /etc/docker
cd /etc/docker
sudo rm -v *

echo -e "${blue}Generating Certificate Authority${nocolor}"
sudo openssl genrsa -aes256 -passout pass:$2 -out ca-key.pem 2048
sudo openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$2 -sha256 -out ca.pem \
                 -subj '/C=NL/ST=./L=./O=./CN=$1'

echo -e "${blue}Generating and signing server key${nocolor}"
sudo openssl genrsa -out server-key.pem 2048
sudo openssl req -subj "/CN=$1" -new -key server-key.pem -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
             -CAcreateserial -out server-cert.pem

echo -e "${blue}Generating and signing client key${nocolor}"
sudo openssl genrsa -out key.pem 2048
sudo openssl req -subj '/CN=client' -new -key key.pem -out client.csr
sudo sh -c 'echo "extendedKeyUsage = clientAuth" > extfile.cnf'
sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
                  -CAcreateserial -out cert.pem -extfile extfile.cnf

sudo rm client.csr server.csr
sudo chmod 0400 ca-key.pem key.pem server-key.pem
sudo chmod 0444 ca.pem server-cert.pem cert.pem

echo -e "${blue}Configuring Docker${nocolor}"
echo 'DOCKER_OPTS="--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"' >> /etc/default/docker
sudo service docker restart

echo -e "${green}Secure Docker daemon connection now available on port 4243${nocolor}"
echo "Let's test the connection by running:"
echo "docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version"
echo

docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version
	#!/bin/bash

	if [ $# -lt 2 ]; then
	echo "Usage: $0 [domain to connect] [password]"
	exit 1
	fi

	set -e

	red='\033[0;31m'
	green='\033[0;32m'
	orange='\033[0;33m'
	blue='\033[0;34m'
	nocolor='\033[0m'

	if [ -d /etc/docker ] && [ -f /etc/docker/ca-key.pem ]; then
	echo -ne "${orange}Docker security config already exists: overwrite? [Y/n] ${nocolor}"
	read answer
	if [ "x${answer}" == "xn" ]; then exit; fi
	fi

	echo -e "${blue}Creating secure public connection for Docker daemon${nocolor}"

	[ -d /etc/docker ] \|\| sudo mkdir /etc/docker
	cd /etc/docker
	sudo rm -v *

	echo -e "${blue}Generating Certificate Authority${nocolor}"
	sudo openssl genrsa -aes256 -passout pass:$2 -out ca-key.pem 2048
	sudo openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$2 -sha256 -out ca.pem \
	-subj '/C=NL/ST=./L=./O=./CN=$1'

	echo -e "${blue}Generating and signing server key${nocolor}"
	sudo openssl genrsa -out server-key.pem 2048
	sudo openssl req -subj "/CN=$1" -new -key server-key.pem -out server.csr
	sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
	-CAcreateserial -out server-cert.pem

	echo -e "${blue}Generating and signing client key${nocolor}"
	sudo openssl genrsa -out key.pem 2048
	sudo openssl req -subj '/CN=client' -new -key key.pem -out client.csr
	sudo sh -c 'echo "extendedKeyUsage = clientAuth" > extfile.cnf'
	sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
	-CAcreateserial -out cert.pem -extfile extfile.cnf

	sudo rm client.csr server.csr
	sudo chmod 0400 ca-key.pem key.pem server-key.pem
	sudo chmod 0444 ca.pem server-cert.pem cert.pem

	echo -e "${blue}Configuring Docker${nocolor}"
	echo 'DOCKER_OPTS="--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"' >> /etc/default/docker
	sudo service docker restart

	echo -e "${green}Secure Docker daemon connection now available on port 4243${nocolor}"
	echo "Let's test the connection by running:"
	echo "docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version"
	echo

	docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version