Protect the Docker daemon socket - saviovettoor/DevOps-wiki GitHub Wiki

By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using an HTTP socket.

If you need Docker to be reachable through the network in a safe manner, you can enable TLS by specifying the "tlsverify" flag and pointing Docker’s tlscacert flag to a trusted CA certificate.

Generate a certificate authority and server certificates for your Docker server. Make sure you replace with the actual private IP of your server. The structure of this should resemble the following:

]#openssl genrsa -aes256 -out ca-key.pem 4096
]#openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=IN/ST=KERLA/L=Kottayam/O=SAVI /OU=IT/CN=$HOSTNAME"
]#openssl genrsa -out server-key.pem 4096
]#openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr
]#echo subjectAltName = DNS:$HOSTNAME,IP:<server private IP>,IP:127.0.0.1 >> extfile.cnf
]#echo extendedKeyUsage = serverAuth >> extfile.cnf
]#openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

Generate the client certificates:

]#openssl genrsa -out key.pem 4096
]#openssl req -subj '/CN=client' -new -key key.pem -out client.csr
]#echo extendedKeyUsage = clientAuth > extfile-client.cnf
]#openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

Set appropriate permissions on the certificate files:

chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

Configure Docker host to use tlsverify mode with the certificates that we created earlier:

sudo vi /etc/docker/daemon.json

{
  "tlsverify": true,
  "tlscacert": "/home/cloud_user/ca.pem",
  "tlscert": "/home/cloud_user/server-cert.pem",
  "tlskey": "/home/cloud_user/server-key.pem"
}

sudo vi /lib/systemd/system/docker.service Look for the line that begins with ExecStart and change the -H so that it looks like this:

ExecStart=/usr/bin/dockerd -H=0.0.0.0:2376 --containerd=/run/containerd/containerd.sock

Deamon reload

]#systemctl daemon-reload
]#systemctl restart docker

Copy the CA cert and client certificate files to the client machine:

scp ca.pem cert.pem key.pem cloud_user@<client private IP>:/home/cloud_user

On the client machine, configure the client to securely connect to the remote Docker daemon:

mkdir -pv ~/.docker
cp -v {ca,cert,key}.pem ~/.docker
export DOCKER_HOST=tcp://<docker server private IP>:2376 DOCKER_TLS_VERIFY=1

Test the connection:

]#docker version

MORE INFO: link