Detailed example of remotely connecting to Docker using TLS encrypted communication

Detailed example of remotely connecting to Docker using TLS encrypted communication

By default, Docker runs over a non-networked UNIX socket. It can also use HTTP sockets for optional communication.
If you need to access Docker over the network in a secure manner, you can enable TLS by specifying the Docker flag to point to a trusted CA certificate.
In daemon mode, it only allows connections from clients that are authenticated by a certificate signed by this CA. In client mode, it only connects to servers that have a certificate signed by that CA.

# Create CA certificate directory [root@localhost ~]# mkdir tls
[root@localhost ~]# cd tls/
# Create CA key [root@localhost tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................++
.....................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
# Create CA certificate [root@localhost tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 8
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
# Create server private key [root@localhost tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
..................++
e is 65537 (0x10001)
[root@localhost tls]# ll
Total dosage 12
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Sign the private key [root@localhost tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@localhost tls]# ll
Total dosage 16
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
Sign with CA certificate and private key, enter the password set above [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#Generate client key [root@localhost tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................................++
.................................++
e is 65537 (0x10001)
#Sign the client [root@localhost tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
#Create configuration file [root@localhost tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
#Sign certificate [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 40
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 17 December 3 19:35 ca.srl
-rw-r--r--. 1 root root 1696 Dec 3 19:35 cert.pem
-rw-r--r--. 1 root root 1582 December 3 19:29 client.csr
-rw-r--r--. 1 root root 28 12月3 19:32 extfile.cnf
-rw-r--r--. 1 root root 3243 December 3 19:08 key.pem
-rw-r--r--. 1 root root 1647 Dec 3 19:08 server-cert.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Delete unnecessary files [root@localhost tls]#

Testing on the client

[root@client ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
 Version: 19.03.13
 API version: 1.40
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:03:45 2020
 OS/Arch: linux/amd64
 Experimental: false

Server: Docker Engine - Community
 Engine:
 Version: 19.03.13
 API version: 1.40 (minimum version 1.12)
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:02:21 2020
 OS/Arch: linux/amd64
 Experimental: false
 containerd:
 Version: 1.3.9
 GitCommit: ea765aba0d05254012b0b9e595e995c09186427f
 runc:
 Version: 1.0.0-rc10
 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
 Version: 0.18.0
 GitCommit: fec3683

This concludes this article about using TLS encrypted communication to remotely connect to Docker. For more information about TLS encrypted remote connection to Docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • Docker enables secure TLS remote connection access
  • How to set up vscode remote connection to server docker container
  • Docker deploys mysql remote connection to solve 2003 problems
  • Tutorial on installing MySQL with Docker and implementing remote connection
  • Docker deploys mysql to achieve remote connection sample code
  • Detailed explanation of docker daemon remote connection settings
  • Implementation example of Docker remote connection settings

<<:  HTML table tag tutorial (26): cell tag

>>:  How to forget the root password in Mysql8.0.13 under Windows 10 system

Recommend

A friendly alternative to find in Linux (fd command)

The fd command provides a simple and straightforw...

The process of installing and configuring nginx in win10

1. Introduction Nginx is a free, open source, hig...

Detailed explanation of sample code for the improvement and changes brought by CSS variables to JS interactive component development

1. Qualitative changes brought by CSS variables T...

Problems and solutions of error 08001 when linking to MySQL in IDEA and no table display after successful connection

Error: Connection to blog0@localhost failed. [080...

Analysis and solution of the reasons why HTML external reference CSS files are not effective

As a front-end novice, I tinkered with the front-e...

IDEA reports an error when connecting to MySQL! Server returns invalid timezone. Go to tab and set serverTimezone property

The road ahead is always so difficult and full of...

How to calculate the value of ken_len in MySQL query plan

The meaning of key_len In MySQL, you can use expl...

Full-screen drag upload component based on Vue3

This article mainly introduces the full-screen dr...

How to configure Linux firewall and open ports 80 and 3306

Port 80 is also configured. First enter the firew...

A brief understanding of the difference between MySQL union all and union

Union is a union operation on the data, excluding...

Vue realizes the function of book shopping cart

This article example shares the specific code of ...

MySQL Learning (VII): Detailed Explanation of the Implementation Principle of Innodb Storage Engine Index

Overview In a database, an index is used to speed...

Docker deploys Laravel application to realize queue & task scheduling

In the previous article, we wrote about how to de...

Solution to the automatic termination of docker run container

Today I encountered a problem when I used Dockerf...

How to set the border of a web page table

<br />Previously, we learned how to set cell...