Child pages
  • Running a Docker daemon with TLS
Skip to end of metadata
Go to start of metadata

(under construction)

A Docker daemon runs with three optional socket modes: TCP socket, Unix Socket and  Systemd Socket.  If a Docker daemon needs to be accessed remotely,  the TCP socket needs to be enabled. By default, a Docker access to a Docker daemon is not unencrypted and not authorized.  For security reasons, configuring a Docker daemon to use TLS in communication with Docker client is necessary.


1. Create a CA

openssl genrsa -aes256 -out ca-key.pem 2048

openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem

2. Create SSL certificates for a Docker daemon and be signed with CA

openssl genrsa -out server-key.pem 2048

openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = IP:$HOST,IP: > extfile.cnf

openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

rm server.csr

3. Create SSL certificates for a Docker client and signed with CA

openssl genrsa -out key.pem 2048

openssl req -subj '/CN=client' -new -key key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile.cnf

openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf

rm client.csr

4.  Run a Docker daemon with certificates

docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H tcp://$IP:2375 -H unix:///var/run/docker.sock &


5. Access a Docker daemon with certificate


  • No labels