/usr/bin/dockerd -H tcp://127.0.0.1:2736 \
--tls --tlsverify \
--tlscacert /path/to/ca.pem \
--tlscert /path/to/server.pem \
--tlskey path/to/server_decrypted.key
export DOCKER_CERT_PATH=/path/to/client-stuff
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://127.0.0.1:2736
docker info
The folder referenced by DOCKER_CERT_PATH envvar shall contain the following files (names are important!!!)
ca.pem- CA certificatecert.pem- client certificate signed by CAkey.pem- client key
/etc/systemd/system/docker.service.d/docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2736 --tls ...
Reload systemd configs
systemctl daemon-reload
openssl req -subj "/CN={{ ansible_fqdn }}" -sha256 -new -key key.pem -out server.csr
extfile.cnf.j2 -> server-extfile.cnf
subjectAltName = IP:{{ ansible_eth1.ipv4.address }},IP:127.0.0.1
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -extfile server-extfile.cnf -passin "pass:{{ certs_ca_password }}"'
Important:
- use server-extfile.cnf
- read CA key password from command line