Steps to enable TLS in Docker for secure configuration

Preface

I had previously enabled Docker's 2375 Remote API. I received a request from the company's security department that I need to enable authorization. I looked up the official documentation.

Protect the Docker daemon socket

Enable TLS

On the docker server, generate CA private and public keys

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
Common Name (eg server FQDN or YOUR name) []:$HOST
Email Address []:[email protected]

Once you have a CA, you can create a server key and certificate signing request (CSR)

$HOST is your server ip

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................................++
.................................................................................................................++
e is 65537 (0x10001)

$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Next, use the CA to sign the public key:

$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf

 $ echo extendedKeyUsage = serverAuth >> extfile.cnf

Generate key:

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Create the client key and certificate signing request:

$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

Modify extfile.cnf:

echo extendedKeyUsage = clientAuth > extfile-client.cnf

Generate a signing private key:

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Stop the Docker service and modify the Docker service file

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

Then restart the service

systemctl daemon-reload
systemctl restart docker.service

Check the service status after restart:

systemctl status docker.service
● docker.service - Docker Application Container Engine
  Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
  Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

Already in effect.

Connect using a certificate:

Copy the three files ca.pem, cert.pem, and key.pem to the client

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version can be connected

docker-java enable TLS

The project uses docker's java client docker-java to call docker. In order to support TLS, you need to add TLS settings when creating the client.

First, copy the three files ca.pem cert.pem key.pem to a local location, for example, E:\\docker\\",

Then set withDockerTlsVerify to true in DefaultDockerClientConfig and set certpath to the directory just copied.

DefaultDockerClientConfig.Builder builder =
        DefaultDockerClientConfig.createDefaultConfigBuilder()
          .withDockerHost("tcp://" + server + ":2375")
          .withApiVersion("1.30");
      if (containerConfiguration.getDockerTlsVerify()) {
        builder = builder.withDockerTlsVerify(true)
          .withDockerCertPath("E:\\docker\\");
      }
  return DockerClientBuilder.getInstance(builder.build()).build()

The big job is done.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
Docker containers communicate directly through routing to achieve network communication
About Docker security Docker-TLS encrypted communication issues

<<: A brief introduction to React

>>: Mysql specifies the date range extraction method

Problems with configuring https server and reverse proxy with Nginx under Windows

Steps to enable TLS in Docker for secure configuration

Problems with configuring https server and reverse proxy with Nginx under Windows

Installing Win10 system on VMware workstation 14 pro

Detailed installation and configuration tutorial of PostgreSQL 11 under CentOS7

The process of quickly converting mysql left join to inner join

Vue.js implements music player

About using Keepalived to achieve automatic restart of Nginx and dual-active hot standby high availability

Analysis of three parameters of MySQL replication problem

A pitfall and solution of using fileReader

Implementation steps of js object-oriented encapsulation cascading drop-down menu list

MySQL 5.5.27 winx64 installation and configuration method graphic tutorial

Recommend

Introduction to TypeScript basic types

How to set process.env.NODE_ENV production environment mode

Analysis of product status in interactive design that cannot be ignored in design

Detailed explanation of padding and abbreviations within the CSS box model

Detailed explanation of javascript event bubbling, event capture and event delegation

Installation and configuration method of Zabbix Agent on Linux platform

Using JavaScript to implement carousel effects

v-for directive in vue completes list rendering

Web design must have purpose, ideas, thoughts and persistence

Detailed explanation of the error problem of case when statement

Detailed explanation of eight methods to achieve CSS page bottom fixed

MySQL 8.0.18 installation and configuration graphic tutorial

In-depth analysis of MySQL database transactions and locks

How to solve the mysql error 1033 Incorrect information in file: 'xxx.frm'

Solution to secure-file-priv problem when exporting MySQL data