Skip to content

Instantly share code, notes, and snippets.

@kekru
Last active January 11, 2024 18:20
Show Gist options
  • Save kekru/b9e4da822514df93e6fdf2f7d3d90d8a to your computer and use it in GitHub Desktop.
Save kekru/b9e4da822514df93e6fdf2f7d3d90d8a to your computer and use it in GitHub Desktop.
Enable Docker Remote API via daemon.json
{
"authorization-plugins": ["kekruauth"],
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls": true,
"tlscacert": "/home/kevin/docker/certstest/ca.pem",
"tlscert": "/home/kevin/docker/certstest/server-cert.pem",
"tlskey": "/home/kevin/docker/certstest/server-key.pem",
"tlsverify": true
}

See here

Please go to Enable Docker Remote API with TLS client verification.

Old content:

docker-auth.js Generate Certs

Troubleshooting

unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: hosts: (from flag: [fd://], from file: [unix:///var/run/docker.sock tcp://172.0.0.42:2375])

systemctl list-units
we'll find "docker.service"

systemctl cat docker.service

first line: "# /lib/systemd/system/docker.service"

problem: ExecStart=/usr/bin/dockerd -H fd://

remove -H fd:// (comment out is not enough)

systemctl daemon-reload
systemctl restart docker.service

/etc/docker/daemon.json

docker -H localhost:2376 --tlsverify --tlscacert=ca.pem --tlscert=client-microtest-cert.pem --tlskey=client-microtest-key.pem ps

docker-runc list
docker-runc exec -t 919ba26dd4ddb9d2505c1533247d181f7e732ea5eb56d856d281ce471cef03d3 cat /data/log.log > /home/kevin/log3.log

Show Docker Daemon Logs (CentOS)
journalctl -u docker.service -n 100

@juliocanares
Copy link

the CA should be placed in the Docker swarm manager right?

what if I have multiple managers, do I need to create multiple CA for each of them or would be ok to reuse just one CA?

@kekru
Copy link
Author

kekru commented Aug 13, 2017

Hi Julio, sorry for answering so late, Github doesn't send emails on new comments in gists.
When you use one CA for all your manager nodes, a client cert, signed by that CA, will be allowed to use all manager nodes. So it depends on how you want to design your authorization structure.

@zx1986
Copy link

zx1986 commented Aug 21, 2018

Thank you so much!

@lionsong
Copy link

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment