itzg/Using certs script to secure Docker daemon.md

## Using certs script to secure Docker daemon.md

      
    Raw
  

              Using certs script to secure Docker daemon.md
            
          
    Setup

This procedure uses the certs.sh located over at my other gist.
Get that script directly or git clone the gist.
Create certs

Init

./certs.sh init

Create server cert (one for each)

./certs.sh create -name centos-10 -cn centos-10.lan \
  -alt DNS:centos-10.lan,IP:192.168.0.10 -server -client

NOTE I used the -client option to allow for the possibility of using this cert for something like
securing etcd inter-node communication.
Create client cert

./certs.sh create -name client -cn CLIENT -client

Configure Docker daemon

Transfer the server cert using:
./certs.sh ssh -user root -name centos-10 -path /etc/docker

Follow the instructions on the https docs and add a
snippet like the following to /etc/default/docker on pre-systemd releases of Ubuntu:
DOCKER_OPTS="$DOCKER_OPTS -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376"
DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/var/lib/docker/ca.pem
  --tlscert=/var/lib/docker/server.pem
  --tlskey=/var/lib/docker/server-key.pem"

or /etc/sysconfig/docker on Redhat-ish distros:
DOCKER_CERT_PATH=/etc/docker

other_args="$other_args -H unix:///var/run/docker.sock -H 0.0.0.0:2376"
other_args="$other_args --tlsverify
  --tlscacert=$DOCKER_CERT_PATH/ca.pem
  --tlscert=$DOCKER_CERT_PATH/centos-10-cert.pem
  --tlskey=$DOCKER_CERT_PATH/centos-10-key.pem"

NOTE: I left the UNIX socket binding to simplify local usage, but you can leave that out.
Don't forget to adjust your firewall rules, if applicable:
iptables -I INPUT 1 -p tcp --dport 2376 -m comment --comment "Docker" -j ACCEPT

Using TLS on the client side

Use certs.sh bundle to create an archive of the client certificate files and (securely) transfer that archive
to your client(s) and expand it.
docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
  -H=192.168.0.10:2376 \
  version

You can also copy the pem files into $HOME/.docker and set the DOCKER_TLS_VERIFY environment variable:
cp ca.pem $HOME/.docker/ca.pem
cp *-cert.pem $HOME/.docker/cert.pem
cp *-key.pem $HOME/.docker/key.pem
export DOCKER_TLS_VERIFY=1

See this section for more information.
or with docker-machine

docker-machine --tls-ca-cert=ca.pem --tls-client-cert=client-cert.pem --tls-client-key=client-key.pem \
  create \
  --driver none \
  --url=tcp://192.168.0.10:2376 \
  centos-10

You can also copy the three pem files into $HOME/.docker/machine/machines/$MACHINE, but need to rename

*-cert.pem TO server.pem
*-key.pem TO server-key.pem