Docker client server security

Who are you? - It's me, your trustworthy client. - Prove it!

Docker has plenty of security configurations that I am just in the early stage of discovering.

Docker comes with an CLI that allows a client machine to interact with Docker daemon. So, how does the daemon who which client has the authority to create container, to delete one and to mine bitcoin?

I will look at using TLS [HTTPS] rather than SSL to protect Docker daemon.

My goal is I can start the daemon with TLS enabled with certificates which only allows clients who have correct TLS certificates to gain access to the daemon like this:

Daemon with TSL enabled:

dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376

Note: with -H=0.0.0.0 dockerd listens to all networking interfaces, and according to docker documentation, docker on TLS should run on port 2376

From client, they must provide certificates like this (don’t mistaken the tag --tlsverify with --tls which simply enable encryption rather than authentication):

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

I will go into details about how to achieve these in another post, but for now you can take a look at this documentation for step by step setup.

After going through all the steps in the documentation, you may find it rather cumbersome to start interacting with a remote docker daemon. However, if you copy all the certicates to docker root folder:

mkdir -pv ~/.docker  
cp -v {ca,cert,key}.pem ~/.docker

Note: -p tag creates parent directory if necessary. - v tag displays messages if there’s any. You can remove both if you want.

export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1

Then you can set the environment variable for host and TLS, so whenever you use docker you have TLS certificates ready.

That’s it for today, in the next post, I may write a bit more about networking and security stuff in Docker.