This procedure uses the certs.sh
located over at my other gist.
Get that script directly or git clone the gist.
./certs.sh init
./certs.sh create -name centos-10 -cn centos-10.lan \
-alt DNS:centos-10.lan,IP:192.168.0.10 -server -client
NOTE I used the -client
option to allow for the possibility of using this cert for something like
securing etcd inter-node communication.
./certs.sh create -name client -cn CLIENT -client
Transfer the server cert using:
./certs.sh ssh -user root -name centos-10 -path /etc/docker
Follow the instructions on the https docs and add a
snippet like the following to /etc/default/docker
on pre-systemd releases of Ubuntu:
DOCKER_OPTS="$DOCKER_OPTS -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2376"
DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/var/lib/docker/ca.pem
--tlscert=/var/lib/docker/server.pem
--tlskey=/var/lib/docker/server-key.pem"
or /etc/sysconfig/docker
on Redhat-ish distros:
DOCKER_CERT_PATH=/etc/docker
other_args="$other_args -H unix:///var/run/docker.sock -H 0.0.0.0:2376"
other_args="$other_args --tlsverify
--tlscacert=$DOCKER_CERT_PATH/ca.pem
--tlscert=$DOCKER_CERT_PATH/centos-10-cert.pem
--tlskey=$DOCKER_CERT_PATH/centos-10-key.pem"
NOTE: I left the UNIX socket binding to simplify local usage, but you can leave that out.
Don't forget to adjust your firewall rules, if applicable:
iptables -I INPUT 1 -p tcp --dport 2376 -m comment --comment "Docker" -j ACCEPT
Use certs.sh bundle
to create an archive of the client certificate files and (securely) transfer that archive
to your client(s) and expand it.
docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
-H=192.168.0.10:2376 \
version
You can also copy the pem
files into $HOME/.docker
and set the DOCKER_TLS_VERIFY
environment variable:
cp ca.pem $HOME/.docker/ca.pem
cp *-cert.pem $HOME/.docker/cert.pem
cp *-key.pem $HOME/.docker/key.pem
export DOCKER_TLS_VERIFY=1
See this section for more information.
docker-machine --tls-ca-cert=ca.pem --tls-client-cert=client-cert.pem --tls-client-key=client-key.pem \
create \
--driver none \
--url=tcp://192.168.0.10:2376 \
centos-10
You can also copy the three pem
files into $HOME/.docker/machine/machines/$MACHINE
, but need to rename
- *-cert.pem TO server.pem
- *-key.pem TO server-key.pem