Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Enable Docker Remote API via daemon.json
"authorization-plugins": ["kekruauth"],
"hosts": ["unix:///var/run/docker.sock", "tcp://"],
"tls": true,
"tlscacert": "/home/kevin/docker/certstest/ca.pem",
"tlscert": "/home/kevin/docker/certstest/server-cert.pem",
"tlskey": "/home/kevin/docker/certstest/server-key.pem",
"tlsverify": true

See here

Please go to Enable Docker Remote API with TLS client verification.

Old content:

docker-auth.js Generate Certs


unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: hosts: (from flag: [fd://], from file: [unix:///var/run/docker.sock tcp://])

systemctl list-units
we'll find "docker.service"

systemctl cat docker.service

first line: "# /lib/systemd/system/docker.service"

problem: ExecStart=/usr/bin/dockerd -H fd://

remove -H fd:// (comment out is not enough)

systemctl daemon-reload
systemctl restart docker.service


docker -H localhost:2376 --tlsverify --tlscacert=ca.pem --tlscert=client-microtest-cert.pem --tlskey=client-microtest-key.pem ps

docker-runc list
docker-runc exec -t 919ba26dd4ddb9d2505c1533247d181f7e732ea5eb56d856d281ce471cef03d3 cat /data/log.log > /home/kevin/log3.log

Show Docker Daemon Logs (CentOS)
journalctl -u docker.service -n 100

the CA should be placed in the Docker swarm manager right?

what if I have multiple managers, do I need to create multiple CA for each of them or would be ok to reuse just one CA?


kekru commented Aug 13, 2017

Hi Julio, sorry for answering so late, Github doesn't send emails on new comments in gists.
When you use one CA for all your manager nodes, a client cert, signed by that CA, will be allowed to use all manager nodes. So it depends on how you want to design your authorization structure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment