Now that we have a CA for our PKI, we can use this CA to verify the identity of our Docker host. The following steps will prepare the identity of our Docker host:
- First, we log in to our Docker host. In here, we will generate a private key that will secure the remote API being served by running Docker Engine. The following command will save the private key into a file called /etc/docker/server-key.pem:
dockerhost$ openssl genrsa -out /etc/docker/server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
................................+++
........+++
e is 65537 (0x10001)
- Next, we make sure that this file is secure and can only be accessed by the Docker Engine daemon (through the root user):
dockerhost$ chmod 600 /etc/docker/server-key.pem
dockerhost$ ls -l /etc/docker/server-key.pem
-rw-------. 1 root root 1675 Dec 2 21:09 /etc/docker/server-key.pem
- Now that the private key is ready, we will use this file to generate a Certificate Signing Request (CSR). openssl req following command will generate a CSR:
dockerhost$ openssl req -key /etc/docker/server-key.pem
-new -subj "/CN=dockerhost" -sha256 -out
dockerhost.csr
dockerhost$ ls -l dockerhost.csr
-rw-r--r--. 1 root root 891 Dec 2 21:33 dockerhost.csr
- Next, we go back to our client workstation where our CA's files are hosted. In here, we will download the CSR from our Docker host:
client$ scp dockerhost:~/dockerhost.csr dockerhost.csr
dockerhost.csr 100% 891 1.5MB/s 00:00
- We now prepare an OpenSSL configuration server-ext.cnf file that indicates that the certificates our CA will issue are used for server authentication:
extendedKeyUsage = serverAuth
- Finally, we can sign the CSR with our CA. The following command will place our Docker host's signed certificate in a file called dockerhost.pem:
client$ cd ~/ca
client$ openssl x509 -req -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -extfile server-ext.cnf \
-in dockerhost.csr -out dockerhost.pem
Signature ok
subject=/CN=dockerhost
Getting CA Private Key
Enter pass phrase for ca-key.pem: ****
Now that we have the identity of our Docker host verified by our CA, we can now enable the secure TCP port in our Docker host. We will bring up the secure remote API with the following steps:
- Let's now go back into our Docker host. Here, we will copy the certificates of our Docker host and CA from our client workstation:
dockerhost$ scp client:~/ca/ca.pem /etc/docker/ca.pem
ca.pem 100% 1911 1.1MB/s 00:00
dockerhost$ scp client:~/ca/dockerhost.pem /etc/docker/server.pem
dockerhost.pem 100% 1428 1.2MB/s 00:00
- Now that our TLS assets are in place, let's now reconfigure the Docker Engine daemon file, /etc/docker/daemon.json, to use those certificates:
{
"tlsverify": true,
"tlscacert": "/etc/docker/ca.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlscert": "/etc/docker/server.pem"
}
- Next, we configure the Docker Engine daemon to listen to a secure port by creating a systemd override file /etc/systemd/system/docker.service.d/override.conf:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H unix:// -H tcp://0.0.0.0:2376
- Finally, we are now ready to restart Docker Engine:
dockerhost$ systemctl daemon-reload
dockerhost$ systemctl restart docker.service
Our Docker host is now ready and serving a secure API.