Confused how to create your own self-signed certificates to secure a remote docker socket?
This project generates a set of instructions, as executable scripts, to guide you in that process.
In an emtpy folder run:
bash <(curl -s https://raw.githubusercontent.com/FlorianKempenich/TLS-Certificates-for-Docker---Step-by-Step/master/generate_steps.sh) \
YOUR_DOMAIN_NAME
This will create a set of scripts in the current directory each representing a step to generate the following set of certificates / private keys:
* RootCA - Private Key
* RootCA - Self-signed Certificate
* Client - Private Key
* Client - Certificate signed by Root CA
* Used for client authentication with the `docker daemon`
* The `docker daemon` is set to trust any certificate issued by the Root CA
* Server - Private Key
* Server - Certificate signed by Root CA
* Certifies the domain name set by: `YOUR_DOMAIN_NAME`
After running the installation command, simply execute each step to generate the all the certificates.
# Generate the Root CA Key & Certificate
./step-1_Generate_RootCA_PrivateKey.sh
./step-2_Generate_RootCA_Certificate.sh
# Generate the Client Key & Certificate Signing Request (CSR)
cd ./client
./step-3-A_Generate_Client_PrivateKey.sh
./step-3-B_Generate_Server_PrivateKey.sh
cd ..
# Generate the Server Key & Certificate Signing Request (CSR)
cd ./server
./step-4-A_Generate_Client_CSR.sh
./step-4-B_Generate_Server_CSR.sh
cd ..
# Sign the Client & Server Certificates with the Root CA
./step-5-A_Sign_Client_Certificate.sh
./step-5-B_Sign_Server_Certificate.sh
# Copy the certificate in a 'docker_format' directory
#
# This follow the naming convention expected by docker when
# setting the 'DOCKER_CERT_PATH' environment variable
./step-6_Copy_clients_certificates_using_docker_naming_format.sh
And you're done :)
To make understanding the process easier:
When running each step, the command being executed will be displayed.
Feel free to inspect the content of each script before running them ;)
Once your docker machine is setup to use the certificates, to run docker commands
directly on that machine a pair of activation / deactivation scripts is provided.
eval $(./activate.sh)
Any docker command ran after the activating the machine will be executed on the remote machine
eval $(./deactivate.sh)
docker commands are now running locally again.
docker run \ --rm \ --name=hello-world\ -eWORLD=Mundo \ -p"80:80" \ -d floriankempenich/hello-worldWould run a hello-world web server on the port
80of your local machine.After runnning
eval $(./activate.sh), the same command:docker run \ --rm \ --name=hello-world\ -eWORLD=Mundo \ -p"80:80" \ -d floriankempenich/hello-worldWill now run a hello-world web server on the port
80of the remote machine accessible throughYOUR_DOMAIN_NAME
On top of the step-by-step instructions, a one click docker setup ansible
project has been created.
It allows to setup a working remote docker socket using the generated certificates in one click.
The only requirements are:
ansibleis installed on the local machine- You have SSH access with that
usernameon the remote machine- Python 2 is installed on the remote machine
- Enter the directory:
cd ./ansible- Edit the
ansible_userfield in theinventoryfile.
- To indicate the
usernameyou use to connect to the remote machine.- Default:
root- Install the role dependency:
ansible-galaxy install -r requirements.yml- Run the playbook:
ansible-playbook playbook.yml
- Or
ansible-playbook playbook.yml -Kif using a non-root user
The machine accessible at YOUR_DOMAIN_NAME is now a fully configured, remotely accessible, secured with TLS docker machine.
After you ensure that YOUR_DOMAIN_NAME is actually pointing to that machine,
you can simply activate it by running: eval $(./activate.sh)
For more info, see: Activation / Deactivation
Antonio Pires:
For helping me figure out how TLS Certificates work.
As well as how they are used in the context of Docker.