Detailed example of remotely connecting to Docker using TLS encrypted communication

By default, Docker runs over a non-networked UNIX socket. It can also use HTTP sockets for optional communication.
If you need to access Docker over the network in a secure manner, you can enable TLS by specifying the Docker flag to point to a trusted CA certificate.
In daemon mode, it only allows connections from clients that are authenticated by a certificate signed by this CA. In client mode, it only connects to servers that have a certificate signed by that CA.

# Create CA certificate directory [root@localhost ~]# mkdir tls
[root@localhost ~]# cd tls/
# Create CA key [root@localhost tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................++
.....................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
# Create CA certificate [root@localhost tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 8
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
# Create server private key [root@localhost tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
..................++
e is 65537 (0x10001)
[root@localhost tls]# ll
Total dosage 12
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Sign the private key [root@localhost tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@localhost tls]# ll
Total dosage 16
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
Sign with CA certificate and private key, enter the password set above [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#Generate client key [root@localhost tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................................++
.................................++
e is 65537 (0x10001)
#Sign the client [root@localhost tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
#Create configuration file [root@localhost tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
#Sign certificate [root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
Total dosage 40
-rw-r--r--. 1 root root 3326 12月3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 Dec 3 19:03 ca.pem
-rw-r--r--. 1 root root 17 December 3 19:35 ca.srl
-rw-r--r--. 1 root root 1696 Dec 3 19:35 cert.pem
-rw-r--r--. 1 root root 1582 December 3 19:29 client.csr
-rw-r--r--. 1 root root 28 12月3 19:32 extfile.cnf
-rw-r--r--. 1 root root 3243 December 3 19:08 key.pem
-rw-r--r--. 1 root root 1647 Dec 3 19:08 server-cert.pem
-rw-r--r--. 1 root root 1574 12月3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12月3 19:03 server-key.pem
# Delete unnecessary files [root@localhost tls]#

Testing on the client

[root@client ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
 Version: 19.03.13
 API version: 1.40
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:03:45 2020
 OS/Arch: linux/amd64
 Experimental: false

Server: Docker Engine - Community
 Engine:
 Version: 19.03.13
 API version: 1.40 (minimum version 1.12)
 Go version: go1.13.15
 Git commit: 4484c46d9d
 Built: Wed Sep 16 17:02:21 2020
 OS/Arch: linux/amd64
 Experimental: false
 containerd:
 Version: 1.3.9
 GitCommit: ea765aba0d05254012b0b9e595e995c09186427f
 runc:
 Version: 1.0.0-rc10
 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
 Version: 0.18.0
 GitCommit: fec3683

This concludes this article about using TLS encrypted communication to remotely connect to Docker. For more information about TLS encrypted remote connection to Docker, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Docker enables secure TLS remote connection access
How to set up vscode remote connection to server docker container
Docker deploys mysql remote connection to solve 2003 problems
Tutorial on installing MySQL with Docker and implementing remote connection
Docker deploys mysql to achieve remote connection sample code
Detailed explanation of docker daemon remote connection settings
Implementation example of Docker remote connection settings

<<: HTML table tag tutorial (26): cell tag

>>: How to forget the root password in Mysql8.0.13 under Windows 10 system

Detailed example of remotely connecting to Docker using TLS encrypted communication

Use button trigger events to achieve background color flashing effect

Using react-beautiful-dnd to implement drag and drop between lists

MySQL database Load Data multiple uses

How to avoid garbled characters when importing external files (js/vbs/css)

Docker Nginx container production and deployment implementation method

Detailed explanation of SQL injection - security (Part 2)

Detailed explanation of keepAlive use cases in Vue

Absolute path URL and relative path URL in html and subdirectory, parent directory, root directory

Analysis of two usages of the a tag in HTML post request

A simple way to put HTML footer at the bottom of the page

Recommend

Detailed explanation of MySQL three-value logic and NULL

How to set remote access permissions in MySQL 8.0

Docker cleanup environment operation

MySQL's conceptual understanding of various locks

A brief discussion on how to learn JS step by step

Implementing a table scrolling carousel effect through CSS animation

Some parameter descriptions of text input boxes in web design

How to deploy services in Windows Server 2016 (Graphic Tutorial)

More popular and creative dark background web design examples

Detailed explanation of Vue configuration request multiple server solutions

Perfect solution to the problem of MySQL shutting down immediately after startup (caused by ibdata1 file corruption)

Five ways to traverse objects in javascript Example code

Installation and use of Linux operation and maintenance tool Supervisor (process management tool)

How to place large images in a small space on a web page

Detailed explanation of the process of using GPU in Docker