Of Stack

Detailed explanation of the example of remote connection to Docker using TLS encrypted communication

  • 2021-09-20 21:58:40
  • OfStack

By default, Docker runs over a non-networked UNIX socket. It can also use HTTP sockets for optional communication.
If you need to access Docker securely over the network, you can enable TLS by specifying a flag that points the Docker flag to a trusted CA certificate.
In daemon mode, it only allows connections from clients authenticated by the certificate signed by the CA. In client mode, it connects only to the server that has the certificate of the CA signature. 


#  Create CA Certificate directory 
[root@localhost ~]# mkdir tls
[root@localhost ~]# cd tls/
#  Create CA Key 
[root@localhost tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................++
.....................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
#  Create CA Certificate 
[root@localhost tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
 Total dosage  8
-rw-r--r--. 1 root root 3326 12 Month  3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 12 Month  3 19:03 ca.pem
#  Create a server private key 
[root@localhost tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
..................++
e is 65537 (0x10001)
[root@localhost tls]# ll
 Total dosage  12
-rw-r--r--. 1 root root 3326 12 Month  3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 12 Month  3 19:03 ca.pem
-rw-r--r--. 1 root root 3243 12 Month  3 19:03 server-key.pem
#  Sign the private key 
[root@localhost tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@localhost tls]# ll
 Total dosage  16
-rw-r--r--. 1 root root 3326 12 Month  3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 12 Month  3 19:03 ca.pem
-rw-r--r--. 1 root root 1574 12 Month  3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12 Month  3 19:03 server-key.pem
 Use CA Sign the certificate with the private key, and enter the password set above 
[root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:
# Generate client key 
[root@localhost tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................................................++
.................................++
e is 65537 (0x10001)
# Sign the client 
[root@localhost tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
# Create a configuration file 
[root@localhost tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
# Signing certificate 
[root@localhost tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@localhost tls]# ll
 Total dosage  40
-rw-r--r--. 1 root root 3326 12 Month  3 17:20 ca-key.pem
-rw-r--r--. 1 root root 1765 12 Month  3 19:03 ca.pem
-rw-r--r--. 1 root root  17 12 Month  3 19:35 ca.srl
-rw-r--r--. 1 root root 1696 12 Month  3 19:35 cert.pem
-rw-r--r--. 1 root root 1582 12 Month  3 19:29 client.csr
-rw-r--r--. 1 root root  28 12 Month  3 19:32 extfile.cnf
-rw-r--r--. 1 root root 3243 12 Month  3 19:08 key.pem
-rw-r--r--. 1 root root 1647 12 Month  3 19:08 server-cert.pem
-rw-r--r--. 1 root root 1574 12 Month  3 19:04 server.csr
-rw-r--r--. 1 root root 3243 12 Month  3 19:03 server-key.pem
#  Delete redundant files 
[root@localhost tls]#

Test on the client side 


[root@client ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
 Version:      19.03.13
 API version:    1.40
 Go version:    go1.13.15
 Git commit:    4484c46d9d
 Built:       Wed Sep 16 17:03:45 2020
 OS/Arch:      linux/amd64
 Experimental:   false

Server: Docker Engine - Community
 Engine:
 Version:     19.03.13
 API version:   1.40 (minimum version 1.12)
 Go version:    go1.13.15
 Git commit:    4484c46d9d
 Built:      Wed Sep 16 17:02:21 2020
 OS/Arch:     linux/amd64
 Experimental:   false
 containerd:
 Version:     1.3.9
 GitCommit:    ea765aba0d05254012b0b9e595e995c09186427f
 runc:
 Version:     1.0.0-rc10
 GitCommit:    dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
 Version:     0.18.0
 GitCommit:    fec3683
Related articles: