We use cookies to ensure you get the best experience on our website
Головна сторінка Огляд Довідка
Реєстрація Увійти
0ct0pu5
/
moby
1
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: ada86fc5b7
Гілки Теги
moby
/
docs
/
sources
/
examples
/
https.rst

https.rst 4.1 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 
  1. :title: Docker HTTPS Setup
    2. 

  2. :description: How to setup docker with https
    3. 

  3. :keywords: docker, example, https, daemon
    4. 

  4. 

  5. .. _running_docker_https:
    6. 

  6. 

  7. Running Docker with https
    8. 

  8. =========================
    9. 

  9. 

  10. By default, Docker runs via a non-networked Unix socket. It can also optionally
    11. 

  11. communicate using a HTTP socket.
    12. 

  12. 

  13. If you need Docker reachable via the network in a safe manner, you can enable
    14. 

  14. TLS by specifying the `tlsverify` flag and pointing Docker's `tlscacert` flag to a
    15. 

  15. trusted CA certificate.
    16. 

  16. 

  17. In daemon mode, it will only allow connections from clients authenticated by a
    18. 

  18. certificate signed by that CA. In client mode, it will only connect to servers
    19. 

  19. with a certificate signed by that CA.
    20. 

  20. 

  21. .. warning::
    22. 

  22. 

  23.   Using TLS and managing a CA is an advanced topic. Please make you self familiar
    24. 

  24.   with openssl, x509 and tls before using it in production.
    25. 

  25. 

  26. Create a CA, server and client keys with OpenSSL
    27. 

  27. ------------------------------------------------
    28. 

  28. 

  29. First, initialize the CA serial file and generate CA private and public keys:
    30. 

  30. 

  31. .. code-block:: bash
    32. 

  32. 

  33.     $ echo 01 > ca.srl
    34. 

  34.     $ openssl genrsa -des3 -out ca-key.pem
    35. 

  35.     $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem
    36. 

  36. 

  37. Now that we have a CA, you can create a server key and certificate signing request.
    38. 

  38. Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use
    39. 

  39. to connect to Docker or just use '*' for a certificate valid for any hostname:
    40. 

  40. 

  41. .. code-block:: bash
    42. 

  42. 

  43.     $ openssl genrsa -des3 -out server-key.pem
    44. 

  44.     $ openssl req -new -key server-key.pem -out server.csr
    45. 

  45. 

  46. Next we're going to sign the key with our CA:
    47. 

  47. 

  48. .. code-block:: bash
    49. 

  49. 

  50.     $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
    51. 

  51.       -out server-cert.pem
    52. 

  52. 

  53. For client authentication, create a client key and certificate signing request:
    54. 

  54. 

  55. .. code-block:: bash
    56. 

  56. 

  57.     $ openssl genrsa -des3 -out client-key.pem
    58. 

  58.     $ openssl req -new -key client-key.pem -out client.csr
    59. 

  59. 

  60. 

  61. To make the key suitable for client authentication, create a extensions config file:
    62. 

  62. 

  63. .. code-block:: bash
    64. 

  64. 

  65.     $ echo extendedKeyUsage = clientAuth > extfile.cnf
    66. 

  66. 

  67. Now sign the key:
    68. 

  68. 

  69. .. code-block:: bash
    70. 

  70. 

  71.     $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
    72. 

  72.       -out client-cert.pem -extfile extfile.cnf
    73. 

  73. 

  74. Finally you need to remove the passphrase from the client and server key:
    75. 

  75. 

  76. .. code-block:: bash
    77. 

  77. 

  78.     $ openssl rsa -in server-key.pem -out server-key.pem
    79. 

  79.     $ openssl rsa -in client-key.pem -out client-key.pem
    80. 

  80.   
    81. 

  81. Now you can make the Docker daemon only accept connections from clients providing
    82. 

  82. a certificate trusted by our CA:
    83. 

  83. 

  84. .. code-block:: bash
    85. 

  85. 

  86.     $ sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
    87. 

  87.       -H=0.0.0.0:4243
    88. 

  88. 

  89. To be able to connect to Docker and validate its certificate, you now need to provide your client keys,
    90. 

  90. certificates and trusted CA:
    91. 

  91. 

  92. .. code-block:: bash
    93. 

  93. 

  94.    $ docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
    95. 

  95.      -H=dns-name-of-docker-host:4243
    96. 

  96. 

  97. .. warning::
    98. 

  98. 

  99.   As shown in the example above, you don't have to run the ``docker``
    100. 

  100.   client  with ``sudo`` or the ``docker`` group when you use
    101. 

  101.   certificate authentication. That means anyone with the keys can
    102. 

  102.   give any instructions to your Docker daemon, giving them root
    103. 

  103.   access to the machine hosting the daemon. Guard these keys as you
    104. 

  104.   would a root password!
    105. 

  105. 

  106. Other modes
    107. 

  107. -----------
    108. 

  108. If you don't want to have complete two-way authentication, you can run Docker in
    109. 

  109. various other modes by mixing the flags.
    110. 

  110. 

  111. Daemon modes
    112. 

  112. ~~~~~~~~~~~~
    113. 

  113. - tlsverify, tlscacert, tlscert, tlskey set: Authenticate clients
    114. 

  114. - tls, tlscert, tlskey: Do not authenticate clients
    115. 

  115. 

  116. Client modes
    117. 

  117. ~~~~~~~~~~~~
    118. 

  118. - tls: Authenticate server based on public/default CA pool
    119. 

  119. - tlsverify, tlscacert: Authenticate server based on given CA
    120. 

  120. - tls, tlscert, tlskey: Authenticate with client certificate, do not authenticate
    121. 

  121.   server based on given CA
    122. 

  122. - tlsverify, tlscacert, tlscert, tlskey: Authenticate with client certificate,
    123. 

  123.   authenticate server based on given CA
    124. 

  124. 

  125. The client will send its client certificate if found, so you just need to drop
    126. 

  126. your keys into `~/.docker/<ca, cert or key>.pem`
    127.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5