Docker Host - Secured remote management

Motivation

• Enabling the Docker daemon socket on a docker host to accept remote connections may be required in certain situations (e.g. automation, centralized management, integration over the Docker API)
• Especially in production and when dealing with sensitive data, the TCP connection shall be protected by enabling TLS
• This post brings together the minimally required steps to 1. configure the Docker daemon socket for TLS and 2. generate the certificates on a sample basis

Secured remote management

Prerequisites

The setup as described below has been tested on behalf of the following environment:

• Docker Host based on CentOS/RHL 7
• Docker Engine 1.12.5 (or higher) installed

SSL Certificates

• Create the needed SSL server and client certificates (best practice here is to go with certificates being signed by an official certificate authority)
• Just for reference and for development usage, here a sample:
• Keep in mind that best practice is to generate the private key(s) on the machine where they are required, only having to share the request for signing with your CA of choice
• Ensure the needed private key and certificates are being placed securely on the Docker host:

1
2
3
4
mkdir /root/.docker
cp server-cert.pem server-key.pem ca.pem /root/.docker
chmod -v 0400 /root/.docker/server-key.pem
chmod -v 0444 /root/.docker/{server-cert.pem,ca.pem}

Docker socket config

• Create the following dir:

1
mkdir /etc/systemd/system/docker.service.d

• Create the following service config file:

1
vi /etc/systemd/system/docker.service.d/docker.conf

• Copy paste the following content (adjust as needed):

1
2
3
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tls=true --tlscert=/root/.docker/server-cert.pem --tlskey=/root/.docker/server-key.pem --tlscacert=/root/.docker/ca.pem -H tcp://docker-node01.example.com:2376

• Reload configuration:

1
systemctl daemon-reload

• Restart the Docker daemon:

1
systemctl restart docker

Connection test

• Run the following command in order to test the connection over TLS:

1
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=docker-node01.example.com:2376 version

Appendix

References

• Docker - Configure Docker Daemon socket on CentOS 7
• Docker - Protect the Docker daemon socket