Running Docker with HTTP

Docker is a container technology that is used for overcoming the overhead of host resource usage as like virtual methods. Docker is based on Linux characteristics but can also be run on various operating systems such as Mac OS-X, Oracle Unix, Windows, etc. Though Docker runs using Unix sockets, HTTP sockets can also be used for Docker communication with the client.

This chapter highlights how to secure Docker daemon sockets and also various ways of creating client and server keys and CA by making use of Open-SSL. It also explains how to secure Docker client by default and the different Docker modes namely daemon and client modes. The procedure to connect Docker to secured port is explained at the end of this chapter.

Safeguarding the Docker Socket

Docker runs through Unix socket that is non-networked, by default. Docker can also communicate with the help of HTTP socket if desired.

If you wish for safe reachability of Docker through computer networks, you can use TLS by enabling tlsverify flag, then denote tlscacert flag of Docker using confidential CA certificate.

Daemon mode of Docker technology allows only the secured client connections that have been authenticated by CA certificate. In client mode of running, it will establish connection only with those servers that have certificates signed by the Certificate Authority (CA). The TLS commands are capable of generating just the working certificate sets in Linux environment. The Docker required certificates can be created by Mac OS-X’s Open-SSL version.

Creating Server Keys, Client Keys and CA Using Open – SSL

Replace all the $HOST instances with Domain Name Server of the host machine of Docker daemon.

1. The first step is to generate the public and private keys of Certificate Authority:
$ open-ssl genrsa – aes-256 -out ca key.pem – 2048
Creating ‘RSA’ private-key, 3074 bit long modulue
e is = 65537, ( 0 x 10001 )
Provide the particular phrase for the ca-key.pem:
Verification – Provide the particular phrase for the ca-key.pem
$ open-ssl, Req. – new – x-509 – days-365, – key –ca –key.pem, -sha-256 – out –
Provide the particular phrase for the ca-key.pem
You will be enquired to enter data which will be combined with your certificate
The information that you are now going to submit is the DN or Distinguished Name.
You have the option of leaving few pages blank.
There is default value for certain fields.
If you wish to leave a field blank, enter ‘.’.
Name of the country (2 lettered codes) [UA]: US
Name of the Province/State (comeplet name) : California
Name of the Locality (for eg, name of the city) []:Los Angeles
Name of the Organization (for eg, name of your company) []:Google Inc
Unit Name of organization (for eg, section name) []:Programmer
Common User Name (YOUR name or server FQDN) [] : – $HOST

Mailing Address []:carline@xxx.org.us
You now have the Certificate Authority and thus you can easily create a CSR and the server key. Be sure that your name or the server FQDN- common name matches with the local host name which connects the Docker.

Replace all host instances i.e $HOST instances with the Domain Name Server name of the host where Docker daemon runs.

1. Using the Certificate Authority or CA, do public key signature:

The TLS or Transport Layer Security can be done using DNS name and also the IP address. Thus there is a need to clearly specify during certificate creation.

2. In order to authenticate the client, make a CSR or signing request for the certificate and the client key.

3. Build a configuration file extension, for making the client key opt for authentication of client.

4. Use public key signature

5. After creating server-cert.pem as well as cert.pem, both the certificate requests can be safely removed: $ rm – v client.csr –server.csr

6. Using the default 022 umask, the secret keys of user would be world-writable as well as world-readable for the user and their group.

7. To preserve the client keys from damages that occur by chance, you need to delete the write permissions. You need to redo modes of files for making them user readable.

8. Even if the certificates are world-readable, you need to delete the write access for preventing damage accidentally.

9. Docker daemon can now be made to accept the connections only from clients that provide trusted certificates by the Certificate Authority.

10. For making it readily connectable with Docker and also for validating the certificate, you must supply the client keys, trusted Certificate Authority and the certificates:

Replace all $HOST instances in following with the Docker daemon’s Domain Name Server name of the host.

11. The Docker on TLS must run using TCP port numbered: 2376.

As per the above example, there is no need for you to run docker client using docker group or sudo while using CA. This means that anyone having client keys can make instructions for the Docker daemon. This gives the main access privilege for the person with keys to use host machine. Thus you must secure the client keys from outer access just as you preserve the root password.

Securing Default Docker Client Connection

If you wish securing Docker client connection using default settings, you need to move all files to directory ‘.docker’ of home directory. Then set DOCKER_TLS_VERIFY and DOCKER_HOST variables rather than passing –tlsverify and ‘H = tcp: // $HOST : 2376’ for function calling.

By default, docker will be connected securely:
$ docker ps

Various Docker Running Modes

Suppose you never want to get 2 way authentication mechanisms, you must be running Docker with different modes by flag-mixing.

Daemon Mode

  • Modes for client authentication: tlsverify, tlscert, tlscacert, tlskey set
  • Modes that never be used for client authentication: tlscert, tls, tlskey

Client Mode

  • tls: This client mode will do server authentication depending on default or public Certification Authority pool.
  • Tlscacert, tlsverify: Performs server authentication based on provided Certificate Authority.
  • tlscert, tls, tlskey: Perform client authentication with client CA but never performs server authentication with given Certificate Authority.
  • tlscert,tlsverify, tlskey,tlscacert: Will authenticate with client’s certificate and also perform server authentication using provided CA.

You need to place your client keys within “~/. Docker / { ca,cert,key } . pem” as the client sends it client certificate. If you wish to preserve these keys in some other location, you need to specify the location used with the help of environment variable called ‘DOCKER_CERT_PATH’.

0 Responses on Running Docker with HTTP"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.