Connect to a remote docker host with docker-machine using TLS certificates

My target is to use a local shell to connect to my remote docker host on my home server, so that I can develop my Dockerfile or docker-compose files locally and easily deploy them to the remote machine, were they should run in the end.

Configuration on the host

I use systemd as system and service manager. To make docker listen on a Port, which is default 2376, the option -H tcp://0.0.0.0:2376 needs to be added to the startup command. This does expose docker to the world, but when you run docker on let’s say a root server this is not a very good idea, since anyone who knows that docker is running on your server could use it so this needs to be secured.

The securing of the socket is descripted at Docker Docs: Securing Engine and uses a x.509 public key infrastructure. A nice tutorial on how to create keys and a certification authority (CA) can be found on this blog http://tech.paulcz.net/2016/01/secure-docker-with-tls/, so I will not go into further detail.

# First Clear ExecStart
ExecStart=
# Set new ExecStart
ExecStart=/usr/bin/docker daemon \
       -s overlay2 \
       -H fd:// -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock \
       --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem

Since I do not like messing too much with systemd service files I tried to figure out a way to configure the docker daemon, without modifying the systemd service. This can be done via the daemon.json in /etc/docker. This file has to look like this:

{
    "hosts": ["fd://", "tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
    "storage-driver": "overlay",
    "max-concurrent-downloads": 10,
    "tls": true,
    "tlscacert": "/etc/docker/ca.pem",
    "tlscert": "/etc/docker/server-cert.pem",
    "tlskey": "/etc/docker/server-key.pem",
    "tlsverify": true
}

 Configuration on the client

Once the host is set up we need to create certificates for the client, as described here: http://tech.paulcz.net/2016/01/secure-docker-with-tls/.

After the certificates were created transfer them to the client and use docker-machine to create a configuration for the remote host. Docker-Machine needs a driver which will be the none driver :^) So open a Windows PowerShell and type:

docker-machine.exe `
   --tls-ca-cert ca.pem `
   --tls-client-cert cert.pem `
   --tls-client-key key.pem `
   create `
   -d none `
   --url tcp://<IP or NAME>:2376 `
   <NAME>

Now Docker-Machine knows about the remote machine. Sadly the command does not copy the certificates into the correct directory HOMEDIR/.docker/machine/machines/<NAME> which we need to do ourselfs. Once done when opening a PowerShell just execute

& docker-machine.exe env <NAME> | Invoke-Expression

and PowerShell will be set up to use the remote host when calling docker commandos.

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.