Securing Docker API with TLS
·
Sean P. McAdam
Docker API Certificate
- I had to setup remote access to the Docker API on one of my hosts & needed to check my notes on exactly what I did to get it setup.
- The first step was creating the CA to get the certificate from:
- I probably should have gone with more than 1 year, but will worry about that when it expires & i have no idea what broke.
openssl genrsa -aes256 -out Docker_API-CA.key.pem 4096
openssl req -new -x509 -days 365 -key Docker_API-CA.key.pem -sha256 -out Docker_API-CA.cert.pem
- Now to get a client certificate that will be used by one of the services, i.e.: Homepage.
openssl genrsa -out $service-client.key.pem 4096
openssl req -subj '/CN=$service-client' -new -key $service-client.key.pem -out $service-client.csr
echo extendedKeyUsage = clientAuth > extfile-$service-client.cnf
openssl x509 -req -days 365 -sha256 -in $service-client.csr -CA Docker_API-CA.cert.pem -CAkey Docker_API-CA.key.pem \
-CAcreateserial -out $service-client.cert.pem -extfile extfile-$service-client.cnf
- To run the docker API on :2376 & local socket i needed to edit one of the config files.
- If running rootless, this file needs to be edited: “~/.config/systemd/user/docker.service”. This will use the new TLS certificate created, run the API on port 2376, AND run the local socket as well.
… Environment=DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" ExecStart=/usr/bin/dockerd-rootless.sh
–tlsverify
–tlscacert=~/.docker/certs/Docker_API-CA.cert.pem
–tlscert=~/.docker/certs/Docker_API-Server-$hostname.cert.pem
–tlskey=~/.docker/certs/Docker_API-Server-$hostname.key.pem
-H unix:///run/user/1000/docker.sock
-H tcp://127.0.0.1:2376 …
- After that i restarted the Docker service & all was working as expected.