This images makes you publish your Docker Remote API by a container. A client must authenticate with a client-TLS certificate. This is an alternative way, instead of configuring TLS on Docker directly.
First you need a CA and certs and keys for your Docker server and the client.
Create them as shown here Protect the Docker daemon socket. Or create the files with this script create-certs.sh. Read Create certificate files for information on how to use the script.
Copy the following files in a directory. The directory will me mounted in the container.
ca-cert.pem
server-cert.pem
server-key.pemThe files cert.pem and key.pem are certificate and key for the client. The client will also need the ca-cert.pem.
Create a docker-compose.yml file:
version: "3.4"
services:
remote-api:
image: kekru/docker-remote-api-tls:v0.4.0
ports:
- 2376:443
volumes:
- <local cert dir>:/data/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:roNow run the container with docker-compose up -d or docker stack deploy --compose-file=docker-compose.yml remoteapi.
Your Docker Remote API is available on port 2376 via https. The client needs to authenticate via cert.pem and key.pem.
The docker-remote-api image can generate CA, certificates and keys for you automatically. Create a docker-compose.yml file, specifying a password and the hostname, on which the remote api will be accessible later on. The hostname will be written to the server's certificate.
version: "3.4"
services:
remote-api:
image: kekru/docker-remote-api-tls:v0.4.0
ports:
- 2376:443
environment:
- CREATE_CERTS_WITH_PW=supersecret
- CERT_HOSTNAME=remote-api.example.com
volumes:
- <local cert dir>:/data/certs
- /var/run/docker.sock:/var/run/docker.sock:roNow run the container with docker-compose up -d or docker stack deploy --compose-file=docker-compose.yml remoteapi.
Certificates will be created in <local cert dir>.
You will find the client-certs in <local cert dir>/client/. The files are ca.pem, cert.pem and key.pem.
Passphrase to encrypt the certificate.
Certificate passphrase will be read from this docker secret. Absolute path of the secret file has to be provided i.e. CERTS_PASSWORD_FILE=/run/secrets/<secret_name>.
If both passphrase and secret file are set, the secret file takes precedence.
Certificate expiration for server and client certs in days. If not set, the default value 365 is applied.
Certificate expiration for CA in days. If not set, the default value 900 is applied.
Domain name of the docker server.
If you don't have a DNS name, you can use nip.io to get a name for any IP.
See Run commands on remote Docker host for instructions how to setup a client to communicate with the remote api.
You can also reuse dockerRemote and set url and path in it to your correct values.
Then just run ./dockerRemote ps to call ps against your remote api.
To test this repo quickly, clone this repo, then run
# Start remote-api locally
docker-compose up -d
# Run ps over remote api (use GitBash when you are on Windows)
./dockerRemote psFirst stable release
Thanks @smiller171 for contributing!
- update nginx version
- add configuration for cert expiration
- add configuration to use swarm secret as password for cert generation
- add automatic tests
Thanks @benkorichard for contributing!
- update nginx version to 1.20.2