Skip to content

Security

Docker Connection Methods

To connect to docker using SSH

$ docker context create \
    --docker host=ssh://jkailasam@192.168.123.11 \
    --description="Remote engine running in Homenas" \
    homenas

$ docker context list
NAME                TYPE                DESCRIPTION                               DOCKER ENDPOINT                                  KUBERNETES ENDPOINT                       ORCHESTRATOR
default *           moby                Current DOCKER_HOST based configuration   tcp://docker:2376                                https://192.168.123.200:16443 (default)   swarm
desktop-linux       moby                                                          unix:///Users/jeevandk/.docker/run/docker.sock
homenas             moby                Remote engine running in Homenas          ssh://jkailasam@192.168.123.11

$ docker context use homenas
homenas
Current context is now "homenas"

Using ssh environement variable 

export DOCKER_HOST=ssh://docker-user@host1.example.com

SSH Tips:

For the best user experience with SSH, configure ~/.ssh/config to allow reusing a SSH connection for multiple invocations of the docker CLI

ControlMaster     auto
ControlPath       ~/.ssh/control-%C
ControlPersist    yes

Protect your docker deamon using TLS Certificate

Create CA Private Key: 

openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++++
................................................................................................................++++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
Create CA Public Key: 
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:CA
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Your Org Here
Organizational Unit Name (eg, section) []:Your Dept here
Common Name (eg, fully qualified host name) []:dind
Email Address []:jeeva@example.com

Create a Server Private Key 

openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................++++
.............++++
e is 65537 (0x10001)
Create Certificate Siging Request 
openssl req -subj "/CN=dind" -sha256 -new -key server-key.pem -out server.csr
Sign the Public Key with CA

Add subject alternate names which would be used to access the docker daemon to the extfile.cnf 

$ echo subjectAltName = DNS:dind,DNS:docker,DNS:dind-service,DNS:localhost,IP:127.0.0.1 >> extfile.cnf
Set the Docker daemon key’s extended usage attributes to be used only for server authentication:
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
Now, generate the signed certificate for server: 
$ openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Client Authentication:

Create a Client Key and Certificate Signing Request 

$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.............................................++++
..........++++
e is 65537 (0x10001)

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
To make the key suitable for client authentication, create a new extensions config file: 
$ echo extendedKeyUsage = clientAuth > extfile-client.cnf
Generate the signed Certificate 
$ openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf

Remove the Temporary csr and cnf files 

$ rm -v client.csr server.csr extfile.cnf extfile-client.cnf
Change the permission of the key files to readonly 
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
Change the permission of Certificates to World readable 
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
Start the server 
$ dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
Connect using the client 
$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

Client Connect options:

  • Copy the key, cert and ca files under ~/.docker/ folder
  • set the enviromnet variables:
    • DOCKER_CERT_PATH=/var/dind/certs
    • DOCKER_TLS_VERIFY=1
    • DOCKER_HOST=tcp://$HOST:2376

To access the API using curl 

    curl https://$HOST:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem