Tutorials for Docker to use HTTPS in Linux

Docker starts the listening port, uses HTTP, and can remotely manage the Docker host.
Such a scenario has drawbacks, the API level is not provide user authentication, Token, such as authentication, anyone can use the address plus port to control Docker host, in order to avoid such a situation, Docker official support HTTPS, but we need to generate certificates ourselves.

The OpenSSL command is used to generate CA certificates, server private keys, client certificates, signatures, and OpenSSL commands are more complex, and I generate them directly using a script:

# Cat Certgen.sh
Set-ex

[e Certs] | | mkdir certs
CD certs
echo "Creating CA Keys ..."
echo > Ca.srl
OpenSSL genrsa-des3-out Ca-key.pem
OpenSSL rsa-in ca-key.pem-out Ca-key.pem
OpenSSL req-subj "/cn=$ (hostname-f)/"-new-x509-days 365-key ca-key.pem-out Ca.pem

echo "Creating Server Keys ..."
OpenSSL genrsa-des3-out Server-key.pem
OpenSSL rsa-in server-key.pem-out Server-key.pem
OpenSSL req-subj "/cn=$ (hostname-f)/"-new-key Server-key.pem-out SERVER.CSR
OpenSSL x509-req-days 365-in server.csr-ca ca.pem-cakey ca-key.pem-out

echo "Creating the Client Keys ..."
OpenSSL genrsa-des3-out Key.pem
OpenSSL rsa-in key.pem-out Key.pem
OpenSSL req-subj '/cn=*/'-new-key key.pem-out CLIENT.CSR
echo extendedkeyusage = clientauth > Extfile.cnf
OpenSSL x509-req-days 365-in client.csr-ca ca.pem-cakey ca-key.pem-out cert.pem-extfile extfile.cnf

Note that before executing the script, make sure that your hostname conforms to the FQDN and resolves correctly, and it is not recommended to modify the script content $ (hostname-f) as IP address, do not need to modify the script, in the execution of the script will be repeatedly required to enter the password, unified input a password on OK:

SH certgen.sh
After execution, a certs directory is generated in the current directory with all of the generated certificate files.

To avoid confusion, now copy the CA and server private keys to other directories:

Mkdir-p/etc/docker/certs
CD certs/
CP Ca.pem SERVER-CERT.PEM server-key.pem/etc/docker/certs/
The server's private key is there, and we know where it is, now just let Docker know:

Vim/etc/default/docker
Docker_opts= '-H unix:///var/run/docker.sock-h docker01.thstack.com:6732--tlsverify--tlscacert=/etc/docker/certs/ Ca.pem--tlscert=/etc/docker/certs/server-cert.pem--tlskey=/etc/docker/certs/server-key.pem '
Restart the Docker service:

Service Docker restart
Add the DOCKER_HOST environment variable with the address of the host name of the Docker host, as well as if there is a problem setting the IP address:

# Vim/etc/profile
Export docker_host=tcp://docker01.thstack.com:6732

# Source/etc/profile
Now Docker has opened HTTPS authentication, the command line to knock Docker command will be an error, need to add –tlsverify parameters in each docker command, Docker command as a client tool to operate the Docker host also rely on client certificates:

root@docker01:~/certs# Docker Info
2014/09/14 16:19:26 get http://docker01.thstack.com:6732/v1.14/info:malformed http response "x15x03x01x00x02x02"

root@docker01:~# Docker--tlsverify Images
2014/09/14 16:25:53 couldn ' t read CA cert/root/.docker/ca.pem:open/root/.docker/ca.pem:no such file or directory
Learn from the docker–tlsverify images results output that when the –tlsverify parameter is added, the default is to ~/.docker the file to find the client certificate, and now add the certificate for the Docker Client command:

mkdir ~/.docker
CD certs/
CP Ca.pem CERT.PEM Key.pem ~/.docker
Try to execute the command again:

root@docker01:~# Docker PS
2014/09/14 16:28:42 get http://docker01.thstack.com:6732/v1.14/containers/json:malformed http Response " X15X03X01X00X02X02 "

root@docker01:~# Docker--tlsverify Images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
Ubuntu 14.04.1 826544226FDC 9 days ago 194.2 MB
Ubuntu 14.04 826544226FDC 9 days ago 194.2 MB
Ubuntu trusty 826544226FDC 9 days ago 194.2 MB
Ubuntu latest 826544226FDC 9 days ago 194.2 MB
Ubuntu 14.10 245ce11c1f25 9 days ago 202.5 MB
Ubuntu utopic 245ce11c1f25 9 days ago 202.5 MB
Ubuntu precise c17f3f519388 9 days ago 106.7 MB
Ubuntu 12.04.5 c17f3f519388 9 days ago 106.7 MB
Ubuntu 12.04 c17f3f519388 9 days ago 106.7 MB
Ubuntu 12.10 c5881f11ded9 weeks ago 172.2 MB
Ubuntu quantal c5881f11ded9 weeks ago 172.2 MB
Ubuntu 13.04 463ff6be4238 weeks ago 169.4 MB
Ubuntu raring 463ff6be4238 weeks ago 169.4 MB
Ubuntu 13.10 195eb90b5349 weeks ago 184.7 MB
Ubuntu saucy 195eb90b5349 weeks ago 184.7 MB
Ubuntu Lucid 3db9c44f4520 4 months ago 183 MB
Ubuntu 10.04 3db9c44f4520 4 months ago 183 MB
As long as the HTTPS authentication is turned on, the Docker command must add –tlsverify parameters.

All of the above operations are done on the Docker host and find another machine to verify that HTTPS is in effect:

root@ubuntu:~# Curl-v-S Https://docker01.thstack.com:6732/info
* About to connect () to docker01.thstack.com Port 6732 (#0)
* Trying 192.168.3.23 ... Connected
* Successfully set certificate Verify locations:
* Cafile:none
Capath:/etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server Hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL Certificate problem, verify the CA cert is OK. Details:
Error:14090086:ssl routines:SSL3_GET_SERVER_CERTIFICATE:certificate Verify failed
* Closing Connection #0
This indicates that certificate validation failed and the SCP client certificate on the Docker host is on this machine:

root@docker01:~# CD certs/
root@docker01:~/certs# SCP Ca.pem Cert.pem Key.pem root@ubuntu:/tmp
Indicates the certificate location to validate, and you can see the validation process and results:

root@ubuntu:~# curl-v-s-k--key/tmp/key.pem--cert/tmp/cert.pem https://docker01.thstack.com:6732/info

* About to connect () to docker01.thstack.com Port 6732 (#0)
* Trying 192.168.3.23 ... Connected
* Successfully set certificate Verify locations:
* Cafile:none
Capath:/etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server Hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key Exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key Exchange (16):
* SSLv3, TLS handshake, CERT Verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, finished (20):
* SSL Connection using Ecdhe-rsa-aes256-sha
* Server Certificate:
* subject:cn=docker01.thstack.com
* Start date:2014-09-14 03:27:16 GMT
* Expire date:2015-09-14 03:27:16 GMT
* Common name:docker01.thstack.com (matched)
* issuer:cn=docker01.thstack.com
* SSL Certificate Verify result:self signed certificate, continuing anyway.
> Get/info http/1.1
> user-agent:curl/7.22.0 (X86_64-PC-LINUX-GNU) libcurl/7.22.0 openssl/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> host:docker01.thstack.com:6732
> Accept: */*
>
< http/1.1 OK
< Content-type:application/json
< Job-name:info
< Date:sun, Sep 2014 08:43:26 GMT
< content-length:417
<
{"Containers": 1, "Debug": 0, "Driver": "Aufs", "Driverstatus": [["Root Dir", "/var/lib/docker/aufs"],["dirs", "36"]], " Executiondriver ":" native-0.2 "," ipv4forwarding ": 1," Images ":" Indexserveraddress ":" https://index.docker.io/v1/ "," Initpath ":"/usr/bin/docker "," INITSHA1 ":" "," kernelversion ":" 3.13.0-24-generic "," memorylimit ": 1," Neventslistener ": 0," NFd ": One," Ngoroutines ": One," OperatingSystem ":" Ubuntu 14.04.1 LTS "," Swaplimit ": 0}
* Connection #0 to host docker01.thstack.com left intact
* Closing Connection #0
* SSLv3, TLS alert, Client hello (1):
You can also install Lxc-docker on other machines to remotely administer the Docker host using the Docker command, as well as setting environment variables and adding certificates.
If an error occurs during the configuration process, view the/var/log/upstart/docker.log log, or regenerate the certificate