Docker's Remote API can be secured via TLS and client certificate verification.
First of all you need a few certificates and keys:
- CA certificate
- Server certificate
- Server key
- Client certificate
- Client key
You can create these files as described in the official docs in Protect the Docker daemon socket.
You can also use my create-certs.sh script to create them.
Download the script and run like this:
- Create a CA with the password
yourSecretPassword
and900
days until it wil expire. The cert files will be in the directory./certs
.
./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
- Create server certificate and key with the password of step 1
yourSecretPassword
, with the servernamemyserver.example.com
and365
days until it wil expire. The cert files will be in the directory./certs
.
./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
- Create client certificate and key with the password of step 1
yourSecretPassword
, with the clientnametestClient
(the name is interesting if you want to use authorization plugins later) and365
days until it wil expire. The cert files will be in the directory./certs
.
./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365
Now you have a directory ./certs
with certificates and keys for CA, server and client.
Make sure, you have a ca certificate and a server certificate with a server key.
Open or create the file /etc/docker/daemon.json
. This is the main configuration file for Docker.
Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json
. Edit the paths to your ca and server certificate files.
Restart your Docker engine with sudo service docker restart
.
The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read Run commands on remote Docker host for more information.
If you don't want to modify your daemon.json, you can use a helper container, that exposes the remote api for you:
kekru/docker-remote-api-tls
This project can also create the certificate files on startup.
Great ! Thanks.
One think: max possible days is 24 855,1348032407 days (max 2147483647 seconds)
Source: https://groups.google.com/forum/#!msg/mailing.openssl.users/3kK_f0ywCZQ/WA3BKVjw1BkJ
And be sure to use : chmod +x ./create-certs.sh