Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save kekru/974e40bb1cd4b947a53cca5ba4b0bbe5 to your computer and use it in GitHub Desktop.
Save kekru/974e40bb1cd4b947a53cca5ba4b0bbe5 to your computer and use it in GitHub Desktop.
Docker Remote API with client verification via daemon.json

Enable Docker Remote API with TLS client verification

Docker's Remote API can be secured via TLS and client certificate verification.
First of all you need a few certificates and keys:

  • CA certificate
  • Server certificate
  • Server key
  • Client certificate
  • Client key

Create certificate files

You can create these files as described in the official docs in Protect the Docker daemon socket.
You can also use my create-certs.sh script to create them.
Download the script and run like this:

  1. Create a CA with the password yourSecretPassword and 900 days until it wil expire. The cert files will be in the directory ./certs.
./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
  1. Create server certificate and key with the password of step 1 yourSecretPassword, with the servername myserver.example.com and 365 days until it wil expire. The cert files will be in the directory ./certs.
./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
  1. Create client certificate and key with the password of step 1 yourSecretPassword, with the clientname testClient (the name is interesting if you want to use authorization plugins later) and 365 days until it wil expire. The cert files will be in the directory ./certs.
./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365

Now you have a directory ./certs with certificates and keys for CA, server and client.

Enable Remote API with TLS (daemon.json)

Make sure, you have a ca certificate and a server certificate with a server key.
Open or create the file /etc/docker/daemon.json. This is the main configuration file for Docker.
Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json. Edit the paths to your ca and server certificate files.

Restart your Docker engine with sudo service docker restart.
The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read Run commands on remote Docker host for more information.

Enable Remote API with TLS (with a container)

If you don't want to modify your daemon.json, you can use a helper container, that exposes the remote api for you:
kekru/docker-remote-api-tls
This project can also create the certificate files on startup.

{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls": true,
"tlscacert": "/data/certs/ca.pem",
"tlscert": "/data/certs/server-cert.pem",
"tlskey": "/data/certs/server-key.pem",
"tlsverify": true
}
@kekru
Copy link
Author

kekru commented Dec 19, 2018

@brunoqkz
Seems that Docker for Windows (= Docker Desktop) does not support TLS yet.
See docker/for-win#1953 and docker/for-win#453
But you can use https://github.com/kekru/docker-remote-api-tls as workaroumd

@aplocher
Copy link

aplocher commented Jan 9, 2020

Thank you, might I suggest create-certs.sh prompting for the password interactively (as an option) so the password doesn't get recorded in the bash history?

@kekru
Copy link
Author

kekru commented Jan 9, 2020

Hi @aplocher, good idea! If you like you can create an issue or pull request on https://github.com/kekru/linux-utils

@shridhara136
Copy link

thank you @kekru, you saved my day

@pedroricardo
Copy link

how can i use this api with docker-compose?

@kekru
Copy link
Author

kekru commented Dec 17, 2021

Example for docker-compose can be found here https://github.com/kekru/docker-remote-api-tls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment