Paul Calabro paulcalabro

Enable Docker Remote API with TLS client verification

Docker's Remote API can be secured via TLS and client certificate verification.
First of all you need a few certificates and keys:

CA certificate
Server certificate
Server key
Client certificate
Client key

Create certificate files

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out example.com.key 2048

Step 2: Generate a CSR (Certificate Signing Request)

Available Public Wildcard DNS Domains pointing to localhost (127.0.0.1)

The best way to safely and securely use local domains pointing to 127.0.0.1 is to edit your local settings (/etc/hosts) and add your own settings. Keep in mind if you want to use subdomains, you need to enter all variations.

Example:

# Adding bottom of your current file /etc/hosts
################# MY LOCAL DOMAINS
127.0.0.1 local.com admin.local.com
127.0.0.1 domain1.com

See here

Please go to Enable Docker Remote API with TLS client verification.

Old content:

docker-auth.js Generate Certs

Troubleshooting

I posted several talks about compiling PHP from source, but everyone was trying to convince me that a package manager like Homebrew was a more convenient way to install.

The purpose of Homebrew is simple: a package manager for macOS that will allow you to set up and install common packages easily and allows you to update frequently using simple commands.

I used a clean installation of macOS Sierra to ensure all steps could be recorded and tested. In most cases you already have done work on your Mac, so chances are you can skip a few steps in this tutorial.

Apache and PHP with homebrew

I’ve made this according to the installation instructions given on GetGrav.

2021 Update: Easiest option is Justin's repo and image

Just run this from your Mac terminal and it'll drop you in a container with full permissions on the Docker VM. This also works for Docker for Windows for getting in Moby Linux VM (doesn't work for Windows Containers).

docker run -it --rm --privileged --pid=host justincormack/nsenter1

more info: https://github.com/justincormack/nsenter1

	# Create a profile (cookbook)
	inspec init profile SQLServerSecurity

	# check profile is valid
	insec check SQLServerSecurity

	# Run single inspec.rb file
	inspec exec mytest.rb

	# Run a profile

	Either via
	$ docker run --dns 10.0.0.2 busybox nslookup google.com

	or edit your /etc/docker/daemon.json to have something like:

	{
	"dns": ["10.0.0.2", "8.8.8.8"]
	}

	then restart docker service

	#!/usr/bin/env python


	import pickle
	import sys

	if __name__ == '__main__':
	argv = sys.argv
	if len(argv) <= 1:
	print 'Specify pickle file as parameter.'

	Host *
	ControlPath ~/.ssh/control/%C
	ControlMaster auto