= docker daemon TLS
* create directories:mkdir -p ${HOME}/.docker
mkdir -p /etc/docker/certs
* create certificates:
docker run --rm -v $(pwd)/.docker:/certs paulczar/omgwtfssl
sudo cp ~/.docker/ca.pem /etc/docker/ssl/ca.pem
chown -R $USER ~/.docker
# añadir IPs correspondientes
docker run --rm -v /etc/docker/ssl:/server \
-v $(pwd)/.docker:/certs \
-e SSL_IP=127.0.0.1,172.17.8.101 \
-e SSL_DNS=docker.local -e SSL_KEY=/server/key.pem \
-e SSL_CERT=/server/cert.pem paulczar/omgwtfssl
* test manual:sudo systemctl stop docker.service
dockerd \
--tlsverify \
--tlscacert=/etc/docker/certs/ca.pem \
--tlscert=/etc/docker/certs/cert.pem \
--tlskey=/etc/docker/certs/key.pem \
-H=0.0.0.0:2376
docker --tlsverify \
--tlscacert=${HOME}/.docker/ca.pem \
--tlscert=${HOME}/.docker/cert.pem \
--tlskey=${HOME}/.docker/key.pem \
-H=127.0.0.1:2376 version
* configurar dockerd:sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service
* modificar el fichero:
...
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock\
--tlsverify \
--tlscacert=/etc/docker/certs/ca.pem \
--tlskey=/etc/docker/certs/key.pem \
--tlscert=/etc/docker/certs/cert.pem
...
* se puede quitar el acceso a usuarios locales sacando el **-H unix:%%///%%var/run/docker.sock**
* rearrancar:sudo systemctl daemon-reload
sudo systemctl restart docker
* dejar por defecto el cliente (si se ha quitado el acceso a través del socket):export DOCKER_HOST=tcp://127.0.0.1:2376 DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=~/.docker
/via: [[https://docs.docker.com/engine/security/protect-access/]]\\
/via: [[https://tech.paulcz.net/2016/01/secure-docker-with-tls/]] (OLD, 2016, el service no funciona)\\
/via: [[https://riptutorial.com/docker/example/17079/enable-remote-access-with-tls-on-systemd]]\\