Secure Docker in the wild

Here is a crude recipe to put socat in front of the Docker API. socat will accept HTTPS connections, make sure that the client shows an appropriate certificate, and relay the connection to the UNIX socket.

First things first

apt-get install socat

Generate key and certificate

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -x509 -out cert.pem -days 36525 -subj /CN=WoopWoop/

This will generate a 2048 bits RSA key in key.pem, and a self-signed certificate in cert.pem, valid 10 years.

Copy both key.pem and cert.pem on client and server.

On server (running Docker)

socat \
  OPENSSL-LISTEN:4321,fork,reuseaddr,cert=cert.pem,cafile=cert.pem,key=key.pem \
  UNIX:/var/run/docker.sock

fork means that socat will fork a new child process for each incoming connection (instead of handling only one connection and exiting right away).

reuseaddr is a useful socket option, so that if you exit and restart socat, it won't tell you that the address is already taken.

By default, OPENSSL connections made with socat require the other end to show a valid certificate; unless you add verify=0. In that case, we want to encrypt connections and check certificates (to deny unauthorized clients), so the defaults are good.

On client (running e.g. Docker CLI)

socat \
  UNIX-LISTEN:/tmp/docker.sock,fork \
  OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem

Very symmetrical.

Now you can point your Docker CLI like this:

docker -H unix:///tmp/docker.sock run -t -i busybox sh

On client (using an HTTP client API)

socat \
  TCP-LISTEN:4321,bind=127.0.0.1,fork \
  OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem

The Docker API is then available on http://127.0.0.1:4321.

Enjoy!

davidbgk/README.md

Select an option

No results found