Steps to enable TLS in Docker for secure configuration

Preface

I had previously enabled Docker's 2375 Remote API. I received a request from the company's security department that I need to enable authorization. I looked up the official documentation.

Protect the Docker daemon socket

Enable TLS

On the docker server, generate CA private and public keys

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
Common Name (eg server FQDN or YOUR name) []:$HOST
Email Address []:[email protected]

Once you have a CA, you can create a server key and certificate signing request (CSR)

$HOST is your server ip

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................................++
.................................................................................................................++
e is 65537 (0x10001)

$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Next, use the CA to sign the public key:

$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf

 $ echo extendedKeyUsage = serverAuth >> extfile.cnf

Generate key:

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Create the client key and certificate signing request:

$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

Modify extfile.cnf:

echo extendedKeyUsage = clientAuth > extfile-client.cnf

Generate a signing private key:

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Stop the Docker service and modify the Docker service file

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

Then restart the service

systemctl daemon-reload
systemctl restart docker.service

Check the service status after restart:

systemctl status docker.service
● docker.service - Docker Application Container Engine
  Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
  Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

Already in effect.

Connect using a certificate:

Copy the three files ca.pem, cert.pem, and key.pem to the client

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version can be connected

docker-java enable TLS

The project uses docker's java client docker-java to call docker. In order to support TLS, you need to add TLS settings when creating the client.

First, copy the three files ca.pem cert.pem key.pem to a local location, for example, E:\\docker\\",

Then set withDockerTlsVerify to true in DefaultDockerClientConfig and set certpath to the directory just copied.

DefaultDockerClientConfig.Builder builder =
        DefaultDockerClientConfig.createDefaultConfigBuilder()
          .withDockerHost("tcp://" + server + ":2375")
          .withApiVersion("1.30");
      if (containerConfiguration.getDockerTlsVerify()) {
        builder = builder.withDockerTlsVerify(true)
          .withDockerCertPath("E:\\docker\\");
      }
  return DockerClientBuilder.getInstance(builder.build()).build()

The big job is done.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
Docker containers communicate directly through routing to achieve network communication
About Docker security Docker-TLS encrypted communication issues

<<: A brief introduction to React

>>: Mysql specifies the date range extraction method

Steps to enable TLS in Docker for secure configuration

Using loops in awk

Detailed explanation of various loop speed tests in JS that you don’t know

How to install and configure the Apache Web server

Detailed explanation of the use of umask under Linux

Example of automatic import method of vue3.0 common components

Website front-end performance optimization: JavaScript and CSS

Solutions to invalid is Null segment judgment and IFNULL() failure in MySql

Summary of 7 types of logs in MySQL

How to create dynamic QML objects in JavaScript

Detailed explanation of MySQL from getting started to giving up - installation

Recommend

Solution to the 404/503 problem when logging in to TeamCenter12

How to view and optimize MySql indexes

XHTML no longer uses some obsolete elements in HTML

Implementation of effective user groups and initial user groups in Linux

How does the MySQL database implement the XA specification?

Use native js to simulate the scrolling effect of live bullet screen

MySQL Binlog Data Recovery: Detailed Explanation of Accidentally Deleting a Database

Docker cleaning killer/Docker overlay file takes up too much disk space

Detailed explanation of the idea of xshell remote login to CentOS7 without password login

Solve the problem that line-height=height element height but text is not vertically centered

How to implement a multi-terminal bridging platform based on websocket in JS

CSS3 implements horizontal centering, vertical centering, horizontal and vertical centering example code

Detailed steps for running springboot project in Linux Docker

Window.name solves the problem of cross-domain data transmission

How to implement load balancing in MySQL