Protect the Docker daemon socket CA

Leave a comment Posted by on July 11, 2023

In RHEL8

make new directory in /home/dockercert and run the followings to generate CA

openssl genrsa -aes256 -out ca-key.pem 4096

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

openssl genrsa -out server-key.pem 4096

openssl req -subj “/CN=host1.example.com” -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = DNS:host1.example.com,IP:192.168.20.92 >> extfile.cnf

echo extendedKeyUsage = serverAuth >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

openssl genrsa -out key.pem 4096

openssl req -subj ‘/CN=client’ -new -key key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile-client.cnf

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

rm -v client.csr server.csr extfile.cnf extfile-client.cnf

**host1.example.com resolves to IP:192.168.20.92

Edit /etc/docker/daemon.json

{
“hosts”: [“tcp://0.0.0.0:2376”, “unix:///var/run/docker.sock”],
“data-root”: “/data/docker”,
“tlsverify”:true,
“tlscacert”:”/home/dockercert/ca.pem”,
“tlscert”:”/home/dockercert/server-cert.pem”,
“tlskey”:”/home/dockercert/server-key.pem”,
“default-address-pools”:
[
{“base”:”10.10.0.0/16″,”size”:24}
]
}

In windows client, set environment variable

DOCKER_HOST=tcp://192.168.2.35:2376

DOCKER_TLS_VERIFY=1

Copy following files to C:\Users\username\.docker from docker server /home/dockercert

ca.pem
cert.pem
key.pem

General

Leave a comment