TLS Auth for Docker Daemon

Question

TLS Auth for Docker Daemon

Closed this issue 6 years ago · 5 comments

Add tls Auth to Talk to (Remote) Docker.

>> TLS with server and client verification (Use client certificates and server verification)
Required TLS files
* TLS CA certificate 
* TLS certificate 
* TLS key

>> TLS with client verification only (Use client certificates without server verification)
Required TLS files
* TLS certificate 
* TLS key


>> TLS with server verification only (Only verify the server certificate)
Required TLS files
* TLS CA certificate 


>> TLS only (No server/client verification)
Required TLS files
* TLS CA certificate 
* TLS certificate 
* TLS key

Answer 1 · 2018-08-02T11:47:56.000Z

fields added, Validation needed!

Answer 2 · 2018-08-23T19:53:54.000Z

cat /lib/systemd/system/docker.service

Answer 3 · 2018-08-30T10:57:58.000Z

# Create Certificates
$ openssl genrsa -aes256 -out ca-key.pem 4096
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
$ openssl genrsa -out server-key.pem 4096
$ openssl req -subj "/CN={$SERVER_HOST}" -sha256 -new -key server-key.pem -out server.csr
$ echo subjectAltName = DNS:{$SERVER_HOST},IP:{$SERVER_IP},IP:127.0.0.1 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile extfile.cnf
$ openssl genrsa -out key.pem 4096
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth >> extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile.cnf

$ rm -v client.csr server.csr

# Config Dockerd to use TLS Auth
$ mkdir -pv ~/.dockerd
$ cp -v {ca,server-cert,server-key}.pem ~/.dockerd
$ nano /lib/systemd/system/docker.service

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/.dockerd/ca.pem --tlscert=/root/.dockerd/server-cert.pem --tlskey=/root/.dockerd/server-key.pem -H fd:// -H tcp://0.0.0.0:{$DOCKER_PORT}
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

# Secure Local Client
$ mkdir -pv ~/.docker
$ cp -v {ca,cert,key}.pem ~/.docker
$ export DOCKER_HOST=tcp://{$SERVER_IP}:{$DOCKER_PORT} DOCKER_TLS_VERIFY=1

# Remote API Calls
$ curl https://{$SERVER_IP}:{$DOCKER_PORT}/images/json \
  --cert ./cert.pem \
  --key ./key.pem \
  --cacert ./ca.pem

More Info

Answer 4 · 2018-08-30T21:49:05.000Z

branch @issue-#14

Answer 5 · 2018-09-23T15:54:15.000Z

docker run --name redis -p 7001:6379 -d redis

# Docker
docker pull rabbitmq
docker run -d --hostname my-rabbit --name some-rabbit -p 4369:4369 -p 5671:5671 -p 5672:5672 -p 15672:15672 rabbitmq
docker exec some-rabbit rabbitmq-plugins enable rabbitmq_management

# Login at http://localhost:15672/ (or the IP of your docker host)
# using guest/guest