Docker Cookbook

Securing the Docker Daemon for Remote Access

Download 6,31 Mb.

Pdf ko'rish

bet	105/260
Sana	21.04.2022
Hajmi	6,31 Mb.
	#570749

1 ... 101 102 103 104 105 106 107 108 ... 260

Bog'liq
Docker Cookbook

4.9 Securing the Docker Daemon for Remote Access | 121

4.9 Securing the Docker Daemon for Remote Access
Problem
You need to access your Docker daemon remotely and securely.
Solution
Set up
TLS-based
access to your Docker daemon. This will use public-key cryptogra‐
phy to encrypt and authenticate communication between a Docker client and the
Docker daemon that you have set up with TLS.
The basic steps to test this security feature are described on the Docker
website
. How‐
ever, it shows how to create your own certificate authority (CA) and sign server and
client certificates using the CA. In a properly set up infrastructure, you need to con‐
tact the CA that you use routinely and ask for server certificates.
To conveniently test this TLS setup, I created an
image
containing a script that creates
the CA and the server and client certificates and keys. You can use this image to cre‐
ate a container and generate all the needed files.
4.9 Securing the Docker Daemon for Remote Access | 121

You start with an Ubuntu 14.04 machine, running the latest Docker version (see
Recipe 1.1
). Download the image and start a container. You will need to mount a vol‐
ume from your host and bind mount it to the
/tmp/ca
inside the Docker container.
You will also need to pass the hostname as an argument to running the container (in
the following example,

). Once you are done running the container, all
CA, server, and client keys and certificates will be available in your working directory:
$ docker pull runseb/dockertls
$ docker run -ti -v $(pwd):/tmp/ca runseb/dockertls
$ ls
cakey.pem ca.pem ca.srl clientcert.pem client.csr clientkey.pem
extfile.cnf makeca.sh servercert.pem server.csr serverkey.pem
Stop the running Docker daemon. Create an
/etc/docker
directory and a
~/.docker
directory. Copy the CA, server key, and server certificates to
/etc/docker
. Copy the
CA, client key, and certificate to
~/.docker
:
$ sudo service docker stop
$ sudo mkdir /etc/docker
$ mkdir ~/.docker
$ sudo cp {ca,servercert,serverkey}.pem /etc/docker
$ cp ca.pem ~/.docker/
$ cp clientkey.pem ~/.docker/key.pem
$ cp clientcert.pem ~/.docker/cert.pem
Edit the
/etc/default/docker
(you need to be
root
) configuration file to specify
DOCKER_OPTS
(replace
test
with your own hostname):
DOCKER_OPTS="-H tcp://:2376 --tlsverify \
--tlscacert=/etc/docker/ca.pem \
--tlscert=/etc/docker/servercert.pem \
--tlskey=/etc/docker/serverkey.pem"
Then restart the Docker service with
sudo service docker restart
and try to con‐
nect to the Docker daemon:
$ docker -H tcp://test:2376 --tlsverify images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
runseb/dockertls latest 5ed60e0f6a7c 17 minutes ago 214.7 MB
Discussion
The
runseb/dockertls
convenience image is automatically built from
the
https://github.com/how2dock/docbook/ch04/tls
Docker‐
file. Check it out.
By setting up a few environment variables (
DOCKER_HOST
and
DOCKER_TLS_VERIFY
),
you can easily configure the TLS connection from the CLI:

Download 6,31 Mb.

Do'stlaringiz bilan baham:

1 ... 101 102 103 104 105 106 107 108 ... 260