Skip to content

Instantly share code, notes, and snippets.

@itzg
Last active February 15, 2022 21:00
Show Gist options
  • Save itzg/77af82f4de44c53a8505 to your computer and use it in GitHub Desktop.
Save itzg/77af82f4de44c53a8505 to your computer and use it in GitHub Desktop.

Setup

This procedure uses the certs.sh located over at my other gist. Get that script directly or git clone the gist.

Create certs

Init

./certs.sh init

Create server cert (one for each)

./certs.sh create -name centos-10 -cn centos-10.lan \
  -alt DNS:centos-10.lan,IP:192.168.0.10 -server -client

NOTE I used the -client option to allow for the possibility of using this cert for something like securing etcd inter-node communication.

Create client cert

./certs.sh create -name client -cn CLIENT -client

Configure Docker daemon

Transfer the server cert using:

./certs.sh ssh -user root -name centos-10 -path /etc/docker

Follow the instructions on the https docs and add a snippet like the following to /etc/default/docker on pre-systemd releases of Ubuntu:

DOCKER_OPTS="$DOCKER_OPTS -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376"
DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/var/lib/docker/ca.pem
  --tlscert=/var/lib/docker/server.pem
  --tlskey=/var/lib/docker/server-key.pem"

or /etc/sysconfig/docker on Redhat-ish distros:

DOCKER_CERT_PATH=/etc/docker

other_args="$other_args -H unix:///var/run/docker.sock -H 0.0.0.0:2376"
other_args="$other_args --tlsverify
  --tlscacert=$DOCKER_CERT_PATH/ca.pem
  --tlscert=$DOCKER_CERT_PATH/centos-10-cert.pem
  --tlskey=$DOCKER_CERT_PATH/centos-10-key.pem"

NOTE: I left the UNIX socket binding to simplify local usage, but you can leave that out.

Don't forget to adjust your firewall rules, if applicable:

iptables -I INPUT 1 -p tcp --dport 2376 -m comment --comment "Docker" -j ACCEPT

Using TLS on the client side

Use certs.sh bundle to create an archive of the client certificate files and (securely) transfer that archive to your client(s) and expand it.

docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
  -H=192.168.0.10:2376 \
  version

You can also copy the pem files into $HOME/.docker and set the DOCKER_TLS_VERIFY environment variable:

cp ca.pem $HOME/.docker/ca.pem
cp *-cert.pem $HOME/.docker/cert.pem
cp *-key.pem $HOME/.docker/key.pem
export DOCKER_TLS_VERIFY=1

See this section for more information.

or with docker-machine

docker-machine --tls-ca-cert=ca.pem --tls-client-cert=client-cert.pem --tls-client-key=client-key.pem \
  create \
  --driver none \
  --url=tcp://192.168.0.10:2376 \
  centos-10

You can also copy the three pem files into $HOME/.docker/machine/machines/$MACHINE, but need to rename

  • *-cert.pem TO server.pem
  • *-key.pem TO server-key.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment