mirror of
https://github.com/docker/docs.git
synced 2026-03-27 14:28:47 +07:00
1012 lines
38 KiB
HTML
1012 lines
38 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
|
|
|
<meta name="docker_version" content="1.5.0">
|
|
<meta name="docker_git_branch" content="docs">
|
|
<meta name="docker_git_commit" content="35ea4de">
|
|
<meta name="docker_build_date" content="Fri Apr 10 23:25:55 UTC 2015">
|
|
|
|
<meta name="description" content="How to setup and run Docker with HTTPS">
|
|
<meta name="keywords" content="docker, docs, article, example, https, daemon, tls, ca, certificate">
|
|
|
|
<link rel="canonical" href="/articles/https/">
|
|
<link href="/css/bootstrap-custom.css" rel="stylesheet">
|
|
<link href="/css/main.css" rel="stylesheet">
|
|
<link href="/css/prettify-1.0.css" rel="stylesheet">
|
|
<link rel="stylesheet" type="text/css" href="/css/dockerfile_tutorial.css">
|
|
<link href="/tipuesearch/tipuesearch.css" rel="stylesheet">
|
|
<link href="/css/docs.css" rel="stylesheet">
|
|
<link rel="shortcut icon" href="/img/favicon.png">
|
|
<title>Running Docker with HTTPS - Docker Documentation</title>
|
|
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
|
|
<!--[if lt IE 9]>
|
|
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
|
|
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
|
|
<![endif]-->
|
|
|
|
<script type="text/javascript">
|
|
!function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.load=function(t){var e=document.createElement("script");e.type="text/javascript";e.async=!0;e.src=("https:"===document.location.protocol?"https://":"http://")+"cdn.segment.com/analytics.js/v1/"+t+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)};analytics.SNIPPET_VERSION="4.0.0";
|
|
analytics.load("IWj9D0UpZHZdZUZX9jl98PcpBFWBnBMy");
|
|
analytics.page();
|
|
}}();
|
|
</script>
|
|
|
|
</head>
|
|
<body>
|
|
|
|
<div id="topmostnav" class="topmostnav_loggedout navbar navbar-static-top">
|
|
<div class="container">
|
|
<a href="/" title="Docker Docs Home"><div class="brand logo"><img src="/img/nav/docker-logo-loggedin.png"> </div></a>
|
|
<form id="nav_search" class="navbar-index-search pull-right" action="/jsearch/">
|
|
<span role="status" aria-live="polite" class="ui-helper-hidden-accessible"></span>
|
|
<input name="q" id="tipue_search_input" type="text" class="search_input search-query ui-autocomplete-input" placeholder="Search the Docs" autocomplete="off">
|
|
</form>
|
|
<ul class="nav">
|
|
<li class=""><a href="http://www.docker.com/whatisdocker/" title="What is Docker">What is Docker?</a></li>
|
|
<li class=""><a href="http://www.docker.com/resources/usecases/" title="Use Cases">Use Cases</a></li>
|
|
<li class=""><a href="http://www.docker.com/tryit/" title="Try It!">Try It!</a></li>
|
|
<li><a href="https://registry.hub.docker.com" title="Browse">Browse</a></li>
|
|
</ul>
|
|
<div id="usernav" class="pull-right">
|
|
<a href="https://hub.docker.com/account/login" class="btn nav-button2" title="Lg In">Log In</a>
|
|
<a href="https://hub.docker.com/account/signup" class="btn nav-button1" title="Sign Up">Sign Up</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div id="topmostnav" class="topmostnav_loggedin navbar navbar-static-top">
|
|
<div class="container">
|
|
<a href="/" title="Docker Docs Home"><div class="brand logo"><img src="/img/nav/docker-logo-loggedin.png"> </div></a>
|
|
<form id="nav_search" class="navbar-index-search pull-right" action="/jsearch/">
|
|
<span role="status" aria-live="polite" class="ui-helper-hidden-accessible"></span>
|
|
<input name="q" id="tipue_search_input" type="text" class="search_input search-query ui-autocomplete-input" placeholder="Search the Docs" autocomplete="off">
|
|
</form>
|
|
<ul class="nav">
|
|
<li><a href="https://registry.hub.docker.com" title="Browse Repos">Browse Repos</a></li>
|
|
<li class="active"><a href="http://docs.docker.com" title="Documentation">Documentation</a></li>
|
|
<li><a href="http://www.docker.com/community/participate/" title="Community">Community</a></li>
|
|
<li><a href="http://www.docker.com/resources/help/" title="Help">Help</a></li>
|
|
</ul>
|
|
<div id="usernav" class="pull-right">
|
|
<ul class="nav user">
|
|
<li class="dropdown">
|
|
<a id="logged-in-header-username" class="dropdown-toggle" data-toggle="dropdown" href="#">
|
|
<img class="profile" src="" alt="profile picture">
|
|
</a>
|
|
<ul class="dropdown-menu pull-right">
|
|
<li><a href="https://hub.docker.com/">View Profile</a></li>
|
|
<li><a href="https://hub.docker.com/account/settings/">Settings</a></li>
|
|
<li><a href="https://hub.docker.com/repos/">My Repositories</a></li>
|
|
<li><a href="https://hub.docker.com/plans/billing-info">Billing</a></li>
|
|
<li><a href="https://hub.docker.com/account/logout/?next=/">Log out</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="wrap">
|
|
<nav id="nav_menu" class="clearfix navbar navbar-default navbar-static-top affix" role="navigation">
|
|
<div id="docsnav">
|
|
<ul id="main-nav" class="pull-left">
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/">About</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/">Docker</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/release-notes/">Release Notes</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/introduction/understanding-docker/">Understanding Docker</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/installation/ubuntulinux/">Installation</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/installation/ubuntulinux/">Ubuntu</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/mac/">Mac OS X</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/windows/">Microsoft Windows</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/amazon/">Amazon EC2</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/archlinux/">Arch Linux</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/binaries/">Binaries</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/centos/">CentOS</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/cruxlinux/">CRUX Linux</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/debian/">Debian</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/fedora/">Fedora</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/frugalware/">FrugalWare</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/google/">Google Cloud Platform</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/gentoolinux/">Gentoo</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/softlayer/">IBM Softlayer</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/rackspace/">Rackspace Cloud</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/rhel/">Red Hat Enterprise Linux</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/oracle/">Oracle Linux</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/installation/SUSE/">SUSE</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/install/">Docker Compose</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/userguide/">User Guide</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/userguide/">The Docker User Guide</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockerhub/">Getting Started with Docker Hub</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockerizing/">Dockerizing Applications</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/usingdocker/">Working with Containers</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockerimages/">Working with Docker Images</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockerlinks/">Linking containers together</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockervolumes/">Managing data in containers</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/userguide/dockerrepos/">Working with Docker Hub</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/">Docker Compose</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/machine/">Docker Machine</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/swarm/">Docker Swarm</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/docker-hub/">Docker Hub</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/docker-hub/">Docker Hub</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/docker-hub/accounts/">Accounts</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/docker-hub/repos/">Repositories</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/docker-hub/builds/">Automated Builds</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/docker-hub/official_repos/">Official Repo Guidelines</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/examples/nodejs_web_app/">Examples</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/examples/nodejs_web_app/">Dockerizing a Node.js web application</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/mongodb/">Dockerizing MongoDB</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/running_redis_service/">Dockerizing a Redis service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/postgresql_service/">Dockerizing a PostgreSQL service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/running_riak_service/">Dockerizing a Riak service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/running_ssh_service/">Dockerizing an SSH service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/couchdb_data_volumes/">Dockerizing a CouchDB service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/examples/apt-cacher-ng/">Dockerizing an Apt-Cacher-ng service</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/django/">Getting started with Compose and Django</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/rails/">Getting started with Compose and Rails</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/wordpress/">Getting started with Compose and Wordpress</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left active">
|
|
|
|
<a href="/articles/basics/">Articles</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/articles/basics/">Docker basics</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/networking/">Advanced networking</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/security/">Security</a>
|
|
</li>
|
|
|
|
<li class="active">
|
|
<a href="/articles/https/">Running Docker with HTTPS</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/registry_mirror/">Run a local registry mirror</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/host_integration/">Automatically starting containers</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/baseimages/">Creating a base image</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/dockerfile_best-practices/">Best practices for writing Dockerfiles</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/certificates/">Using certificates for repository client verification</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/using_supervisord/">Using Supervisor</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/cfengine_process_management/">Process management with CFEngine</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/puppet/">Using Puppet</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/chef/">Using Chef</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/dsc/">Using PowerShell DSC</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/ambassador_pattern_linking/">Cross-Host linking using ambassador containers</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/runmetrics/">Runtime metrics</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/b2d_volume_resize/">Increasing a Boot2Docker volume</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/articles/systemd/">Controlling and configuring Docker using Systemd</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/reference/commandline/cli/">Reference</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/reference/commandline/cli/">Command line</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/builder/">Dockerfile</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/faq/">FAQ</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/run/">Run Reference</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/cli/">Compose command line</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/yml/">Compose yml</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/env/">Compose ENV variables</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/compose/completion/">Compose commandline completion</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/swarm/discovery/">Swarm discovery</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/swarm/scheduler/strategy/">Swarm strategies</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/swarm/scheduler/filter/">Swarm filters</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/swarm/API/">Swarm API</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/docker-io_api/">Docker Hub API</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/registry_api/">Docker Registry API</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/registry_api_client_libraries/">Docker Registry API Client Libraries</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/hub_registry_spec/">Docker Hub and Registry Spec</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/docker_remote_api/">Docker Remote API</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/docker_remote_api_v1.17/">Docker Remote API v1.17</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/docker_remote_api_v1.16/">Docker Remote API v1.16</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/remote_api_client_libraries/">Docker Remote API Client Libraries</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/reference/api/docker_io_accounts_api/">Docker Hub Accounts API</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="dd_menu pull-left">
|
|
|
|
<a href="/project/who-written-for/">Contributor Guide</a>
|
|
|
|
<ul class="dd_submenu" style="max-height: 75px;">
|
|
|
|
<li >
|
|
<a href="/project/who-written-for/">README first</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/software-required/">Get required software</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/set-up-git/">Configure Git for contributing</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/set-up-dev-env/">Work with a development container</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/test-and-docs/">Run tests and test documentation</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/make-a-contribution/">Understand contribution workflow</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/find-an-issue/">Find an issue</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/work-issue/">Work on an issue</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/create-pr/">Create a pull request</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/review-pr/">Participate in the PR review</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/advanced-contributing/">Advanced contributing</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/get-help/">Where to get help</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/coding-style/">Coding style guide</a>
|
|
</li>
|
|
|
|
<li >
|
|
<a href="/project/doc-style/">Documentation style guide</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
</div>
|
|
</nav>
|
|
<div id="content" class="container">
|
|
<div class="row">
|
|
|
|
<div class="span3" id="leftnav">
|
|
<div id="toc_table">
|
|
<ul class="nav nav-tabs nav-stacked">
|
|
|
|
|
|
<li class=""><a href="#create-a-ca-server-and-client-keys-with-openssl">Create a CA, server and client keys with OpenSSL</a>
|
|
<ul>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
<li class=""><a href="#secure-by-default">Secure by default</a>
|
|
<ul>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
<li class=""><a href="#other-modes">Other modes</a>
|
|
<ul>
|
|
|
|
<li><a href="#daemon-modes">Daemon modes</a></li>
|
|
|
|
<li><a href="#client-modes">Client modes</a></li>
|
|
|
|
<li><a href="#connecting-to-the-secure-docker-port-using-curl">Connecting to the Secure Docker port using curl</a></li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="span9 content-body">
|
|
|
|
|
|
|
|
<div id="versionnav" class="span3 pull-right invisible">
|
|
<ul class="nav version pull-right">
|
|
<li class="dropdown">
|
|
<a id="document-version-number" class="dropdown-toggle" data-toggle="dropdown" href="#">
|
|
Version v1.5
|
|
</a>
|
|
<ul id="documentation-version-list" class="dropdown-menu pull-right">
|
|
|
|
<li role="presentation" class="divider"></li>
|
|
<li> <a class="home-link3 tertiary-nav" href="https://github.com/docker/docker/blob/master/docs/sources/articles/https.md" >Edit on GitHub</a></li>
|
|
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
|
|
<h1 id="protecting-the-docker-daemon-socket-with-https">Protecting the Docker daemon Socket with HTTPS</h1>
|
|
<p>By default, Docker runs via a non-networked Unix socket. It can also
|
|
optionally communicate using a HTTP socket.</p>
|
|
<p>If you need Docker to be reachable via the network in a safe manner, you can
|
|
enable TLS by specifying the <code>tlsverify</code> flag and pointing Docker's
|
|
<code>tlscacert</code> flag to a trusted CA certificate.</p>
|
|
<p>In the daemon mode, it will only allow connections from clients
|
|
authenticated by a certificate signed by that CA. In the client mode,
|
|
it will only connect to servers with a certificate signed by that CA.</p>
|
|
<blockquote>
|
|
<p><strong>Warning</strong>:
|
|
Using TLS and managing a CA is an advanced topic. Please familiarize yourself
|
|
with OpenSSL, x509 and TLS before using it in production.</p>
|
|
<p><strong>Warning</strong>:
|
|
These TLS commands will only generate a working set of certificates on Linux.
|
|
Mac OS X comes with a version of OpenSSL that is incompatible with the
|
|
certificates that Docker requires.</p>
|
|
</blockquote>
|
|
<h2 id="create-a-ca-server-and-client-keys-with-openssl">Create a CA, server and client keys with OpenSSL</h2>
|
|
<blockquote>
|
|
<p><strong>Note</strong>: replace all instances of <code>$HOST</code> in the following example with the
|
|
DNS name of your Docker daemon's host.</p>
|
|
</blockquote>
|
|
<p>First generate CA private and public keys:</p>
|
|
<pre class="prettyprint well"><code>$ openssl genrsa -aes256 -out ca-key.pem 2048
|
|
Generating RSA private key, 2048 bit long modulus
|
|
......+++
|
|
...............+++
|
|
e is 65537 (0x10001)
|
|
Enter pass phrase for ca-key.pem:
|
|
Verifying - Enter pass phrase for ca-key.pem:
|
|
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
|
|
Enter pass phrase for ca-key.pem:
|
|
You are about to be asked to enter information that will be incorporated
|
|
into your certificate request.
|
|
What you are about to enter is what is called a Distinguished Name or a DN.
|
|
There are quite a few fields but you can leave some blank
|
|
For some fields there will be a default value,
|
|
If you enter '.', the field will be left blank.
|
|
-----
|
|
Country Name (2 letter code) [AU]:
|
|
State or Province Name (full name) [Some-State]:Queensland
|
|
Locality Name (eg, city) []:Brisbane
|
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
|
|
Organizational Unit Name (eg, section) []:Boot2Docker
|
|
Common Name (e.g. server FQDN or YOUR name) []:$HOST
|
|
Email Address []:Sven@home.org.au
|
|
</code></pre>
|
|
<p>Now that we have a CA, you can create a server key and certificate
|
|
signing request (CSR). Make sure that "Common Name" (i.e., server FQDN or YOUR
|
|
name) matches the hostname you will use to connect to Docker:</p>
|
|
<blockquote>
|
|
<p><strong>Note</strong>: replace all instances of <code>$HOST</code> in the following example with the
|
|
DNS name of your Docker daemon's host.</p>
|
|
</blockquote>
|
|
<pre class="prettyprint well"><code>$ openssl genrsa -out server-key.pem 2048
|
|
Generating RSA private key, 2048 bit long modulus
|
|
......................................................+++
|
|
............................................+++
|
|
e is 65537 (0x10001)
|
|
$ openssl req -subj "/CN=$HOST" -new -key server-key.pem -out server.csr
|
|
</code></pre>
|
|
<p>Next, we're going to sign the public key with our CA:</p>
|
|
<p>Since TLS connections can be made via IP address as well as DNS name, they need
|
|
to be specified when creating the certificate. For example, to allow connections
|
|
using <code>10.10.10.20</code> and <code>127.0.0.1</code>:</p>
|
|
<pre class="prettyprint well"><code>$ echo subjectAltName = IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf
|
|
|
|
$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
|
|
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
|
|
Signature ok
|
|
subject=/CN=your.host.com
|
|
Getting CA Private Key
|
|
Enter pass phrase for ca-key.pem:
|
|
</code></pre>
|
|
<p>For client authentication, create a client key and certificate signing
|
|
request:</p>
|
|
<pre class="prettyprint well"><code>$ openssl genrsa -out key.pem 2048
|
|
Generating RSA private key, 2048 bit long modulus
|
|
...............................................+++
|
|
...............................................................+++
|
|
e is 65537 (0x10001)
|
|
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
|
|
</code></pre>
|
|
<p>To make the key suitable for client authentication, create an extensions
|
|
config file:</p>
|
|
<pre class="prettyprint well"><code>$ echo extendedKeyUsage = clientAuth > extfile.cnf
|
|
</code></pre>
|
|
<p>Now sign the public key:</p>
|
|
<pre class="prettyprint well"><code>$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
|
|
-CAcreateserial -out cert.pem -extfile extfile.cnf
|
|
Signature ok
|
|
subject=/CN=client
|
|
Getting CA Private Key
|
|
Enter pass phrase for ca-key.pem:
|
|
</code></pre>
|
|
<p>After generating <code>cert.pem</code> and <code>server-cert.pem</code> you can safely remove the
|
|
two certificate signing requests:</p>
|
|
<pre class="prettyprint well"><code>$ rm -v client.csr server.csr
|
|
</code></pre>
|
|
<p>With a default <code>umask</code> of 022, your secret keys will be <em>world-readable</em> and
|
|
writable for you and your group.</p>
|
|
<p>In order to protect your keys from accidental damage, you will want to remove their
|
|
write permissions. To make them only readable by you, change file modes as follows:</p>
|
|
<pre class="prettyprint well"><code>$ chmod -v 0400 ca-key.pem key.pem server-key.pem
|
|
</code></pre>
|
|
<p>Certificates can be world-readable, but you might want to remove write access to
|
|
prevent accidental damage:</p>
|
|
<pre class="prettyprint well"><code>$ chmod -v 0444 ca.pem server-cert.pem cert.pem
|
|
</code></pre>
|
|
<p>Now you can make the Docker daemon only accept connections from clients
|
|
providing a certificate trusted by our CA:</p>
|
|
<pre class="prettyprint well"><code>$ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
|
|
-H=0.0.0.0:2376
|
|
</code></pre>
|
|
<p>To be able to connect to Docker and validate its certificate, you now
|
|
need to provide your client keys, certificates and trusted CA:</p>
|
|
<blockquote>
|
|
<p><strong>Note</strong>: replace all instances of <code>$HOST</code> in the following example with the
|
|
DNS name of your Docker daemon's host.</p>
|
|
</blockquote>
|
|
<pre class="prettyprint well"><code>$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \
|
|
-H=$HOST:2376 version
|
|
</code></pre>
|
|
<blockquote>
|
|
<p><strong>Note</strong>:
|
|
Docker over TLS should run on TCP port 2376.</p>
|
|
<p><strong>Warning</strong>:
|
|
As shown in the example above, you don't have to run the <code>docker</code> client
|
|
with <code>sudo</code> or the <code>docker</code> group when you use certificate authentication.
|
|
That means anyone with the keys can give any instructions to your Docker
|
|
daemon, giving them root access to the machine hosting the daemon. Guard
|
|
these keys as you would a root password!</p>
|
|
</blockquote>
|
|
<h2 id="secure-by-default">Secure by default</h2>
|
|
<p>If you want to secure your Docker client connections by default, you can move
|
|
the files to the <code>.docker</code> directory in your home directory -- and set the
|
|
<code>DOCKER_HOST</code> and <code>DOCKER_TLS_VERIFY</code> variables as well (instead of passing
|
|
<code>-H=tcp://$HOST:2376</code> and <code>--tlsverify</code> on every call).</p>
|
|
<pre class="prettyprint well"><code>$ mkdir -pv ~/.docker
|
|
$ cp -v {ca,cert,key}.pem ~/.docker
|
|
$ export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1
|
|
</code></pre>
|
|
<p>Docker will now connect securely by default:</p>
|
|
<pre class="prettyprint well"><code>$ docker ps
|
|
</code></pre>
|
|
<h2 id="other-modes">Other modes</h2>
|
|
<p>If you don't want to have complete two-way authentication, you can run
|
|
Docker in various other modes by mixing the flags.</p>
|
|
<h3 id="daemon-modes">Daemon modes</h3>
|
|
<ul>
|
|
<li><code>tlsverify</code>, <code>tlscacert</code>, <code>tlscert</code>, <code>tlskey</code> set: Authenticate clients</li>
|
|
<li><code>tls</code>, <code>tlscert</code>, <code>tlskey</code>: Do not authenticate clients</li>
|
|
</ul>
|
|
<h3 id="client-modes">Client modes</h3>
|
|
<ul>
|
|
<li><code>tls</code>: Authenticate server based on public/default CA pool</li>
|
|
<li><code>tlsverify</code>, <code>tlscacert</code>: Authenticate server based on given CA</li>
|
|
<li><code>tls</code>, <code>tlscert</code>, <code>tlskey</code>: Authenticate with client certificate, do not
|
|
authenticate server based on given CA</li>
|
|
<li><code>tlsverify</code>, <code>tlscacert</code>, <code>tlscert</code>, <code>tlskey</code>: Authenticate with client
|
|
certificate and authenticate server based on given CA</li>
|
|
</ul>
|
|
<p>If found, the client will send its client certificate, so you just need
|
|
to drop your keys into <code>~/.docker/{ca,cert,key}.pem</code>. Alternatively,
|
|
if you want to store your keys in another location, you can specify that
|
|
location using the environment variable <code>DOCKER_CERT_PATH</code>.</p>
|
|
<pre class="prettyprint well"><code>$ export DOCKER_CERT_PATH=~/.docker/zone1/
|
|
$ docker --tlsverify ps
|
|
</code></pre>
|
|
<h3 id="connecting-to-the-secure-docker-port-using-curl">Connecting to the Secure Docker port using <code>curl</code></h3>
|
|
<p>To use <code>curl</code> to make test API requests, you need to use three extra command line
|
|
flags:</p>
|
|
<pre class="prettyprint well"><code>$ curl https://$HOST:2376/images/json \
|
|
--cert ~/.docker/cert.pem \
|
|
--key ~/.docker/key.pem \
|
|
--cacert ~/.docker/ca.pem
|
|
</code></pre>
|
|
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="push-footer"></div>
|
|
|
|
</div>
|
|
|
|
|
|
|
|
<div id="footer-container" class="container">
|
|
<div id="footer" class="grey-body">
|
|
<div class="row">
|
|
<div class="span2">
|
|
<span class="footer-title">Community</span>
|
|
<ul class="unstyled">
|
|
<li><a class="primary-button" href="https://www.docker.com/community/events/">Events</a></li>
|
|
<li><a class="primary-button" href="http://posts.docker.com">Friends' Posts</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/community/meetups/">Meetups</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/community/governance/">Governance</a></li>
|
|
<li><a class="primary-button" href="http://forums.docker.com">Forums</a></li>
|
|
<li><a class="primary-button" href="http://botbot.me/freenode/docker">IRC</a></li>
|
|
<li><a class="primary-button" href="https://github.com/docker/docker">GitHub</a></li>
|
|
<li><a class="primary-button" href="http://stackoverflow.com/search?q=docker">Stackoverflow</a></li>
|
|
<li><a class="primary-button" href="http://www.cafepress.com/docker">Swag</a></li>
|
|
</ul>
|
|
</div>
|
|
<div class="span2">
|
|
<span class="footer-title">Enterprise</span>
|
|
<ul class="unstyled">
|
|
<li><a class="primary-button" href="https://www.docker.com/enterprise/support/">Support</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/enterprise/education/">Education</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/enterprise/services/">Services</a></li>
|
|
</ul>
|
|
<span class="footer-title">Partner Solutions</span>
|
|
<ul class="unstyled">
|
|
<li><a class="primary-button" href="https://www.docker.com/partners/find/">Find a Partner</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/partners/program/">Partner Program</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/partners/learn/">Learn More</a></li>
|
|
</ul>
|
|
</div>
|
|
<div class="span2">
|
|
<span class="footer-title">Resources</span>
|
|
<ul class="unstyled">
|
|
<li><a class="primary-button" href="https://docs.docker.com">Documentation</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/resources/help/">Help</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/resources/usecases/">Use Cases</a></li>
|
|
<li><a class="primary-button" href="http://www.docker.com/tryit/">Online Tutorial</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/resources/howtobuy/">How To Buy</a></li>
|
|
<li><a class="primary-button" href="http://status.docker.com">Status</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/resources/security/">Security</a></li>
|
|
</ul>
|
|
</div>
|
|
<div class="span2">
|
|
<span class="footer-title">Company</span>
|
|
<ul class="unstyled">
|
|
<li><a class="primary-button" href="https://www.docker.com/company/aboutus/">About Us</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/company/team/">Team</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/company/news/">News</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/company/press/">Press</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/company/careers/">Careers</a></li>
|
|
<li><a class="primary-button" href="https://www.docker.com/company/contact/">Contact</a></li>
|
|
</ul>
|
|
</div>
|
|
<div class="span3">
|
|
<span class="footer-title">Connect</span>
|
|
<div class="search">
|
|
<span>Subscribe to our newsletter</span>
|
|
<form action="https://www.docker.com/subscribe_newsletter/" method="post">
|
|
<input type='hidden' name='csrfmiddlewaretoken' value='aWL78QXQkY8DSKNYh6cl08p5eTLl7sOa' />
|
|
<tr><th><label for="id_email">Email:</label></th><td><input class="form-control" id="id_email" name="email" placeholder="Enter your email" type="text" /></td></tr>
|
|
|
|
<button type="submit"><i class="icon-arrow-right"></i> </button>
|
|
</form>
|
|
</div>
|
|
<ul class="unstyled social">
|
|
<li><a title="Docker on Twitter" class="primary-button blog" href="http://blog.docker.com">Blog</a></li>
|
|
<li><a title="Docker on Twitter" class="primary-button twitter" href="http://twitter.com/docker">Twitter</a></li>
|
|
<li><a title="Docker on Google+" class="primary-button googleplus" href="https://plus.google.com/u/0/communities/108146856671494713993">Google+</a></li>
|
|
<li><a title="Docker on Facebook" class="primary-button facebook" href="https://www.facebook.com/docker.run">Facebook</a></li>
|
|
<li><a title="Docker on Youtube" class="primary-button youtube" href="http://www.youtube.com/user/dockerrun">YouTube</a></li>
|
|
</ul>
|
|
<ul class="unstyled social">
|
|
<li><a title="Docker on SlideShare" class="primary-button slideshare" href="http://www.slideshare.net/Docker">Slideshare</a></li>
|
|
<li>
|
|
<a title="Docker on LinkedIn" class="primary-button" href="https://www.linkedin.com/company/docker">
|
|
<span class="linkedin"></span>
|
|
LinkedIn
|
|
</a>
|
|
</li>
|
|
<li>
|
|
<a title="Docker on GitHub" class="primary-button" href="https://github.com/docker/">
|
|
<span class="github"></span>
|
|
GitHub
|
|
</a>
|
|
</li>
|
|
<li>
|
|
<a title="Docker on Reddit" class="primary-button" href="http://www.reddit.com/r/docker">
|
|
<span class="reddit"></span>
|
|
Reddit
|
|
</a>
|
|
</li>
|
|
<li>
|
|
<a title="Docker on AngelList" class="primary-button" href="https://angel.co/docker-inc-1">
|
|
<span class="angellist"></span>
|
|
AngelList
|
|
</a>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="row clearfix">
|
|
<div class="span6 pagination-right copyright">
|
|
<span>© 2014-2015 Docker, Inc.</span>
|
|
</div>
|
|
<div class="span6 pagination-left copyright">
|
|
<a href="http://www.docker.com/legal/terms_of_service">Terms</a> ·
|
|
<a href="http://www.docker.com/legal/privacy_policy">Privacy</a> ·
|
|
<a href="http://www.docker.com/legal/trademark_guidelines">Trademarks</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<script src="/js/jquery-1.10.2.min.js"></script>
|
|
<script src="/js/jquery.cookie.js" ></script>
|
|
<script src="/js/jquery-scrolltofixed-min.js"></script>
|
|
<script src="/js/bootstrap-3.0.3.min.js"></script>
|
|
<script src="/js/prettify-1.0.min.js"></script>
|
|
<script src="/js/dockerfile_tutorial.js"></script>
|
|
<script src="/js/dockerfile_tutorial_level.js"></script>
|
|
<script src="/js/base.js"></script>
|
|
<script src="/tipuesearch/tipuesearch_set.js"></script>
|
|
<script src="/tipuesearch/tipuesearch.min.js"></script>
|
|
<script type="text/javascript">
|
|
piAId = '45082';
|
|
piCId = '1482';
|
|
|
|
(function() {
|
|
function async_load(){
|
|
var s = document.createElement('script'); s.type = 'text/javascript';
|
|
s.src = ('https:' == document.location.protocol ? 'https://pi' : 'http://cdn') + '.pardot.com/pd.js';
|
|
var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c);
|
|
}
|
|
if(window.attachEvent) { window.attachEvent('onload', async_load); }
|
|
else { window.addEventListener('load', async_load, false); }
|
|
})();
|
|
</script>
|
|
<script type="text/javascript">
|
|
$(document).ready(function() {
|
|
$('#content').css("min-height", $(window).height() - 553 );
|
|
// if the URL contains a version string, update the version picker to reflect that
|
|
version = document.location.pathname.match(/^\/(v\d\.\d)\/.*/)
|
|
if (version && version[1]) {
|
|
$('#document-version-number')[0].text = 'Version '+version[1];
|
|
} else {
|
|
$('#document-version-number')[0].text = $('#document-version-number')[0].text + " (Latest)"
|
|
}
|
|
// load the complete versions list
|
|
$.get("/versions.html_fragment", function( data ) {
|
|
$('#documentation-version-list').prepend(data);
|
|
//remove any "/v1.1/" bits from front, so we can add the path to the version selection dropdown.
|
|
path = document.location.pathname.replace(/^\/v\d\.\d/, "");
|
|
$('#documentation-version-list a.version').each(function(i, e) {
|
|
e.href = e.href+path;
|
|
$(e).removeClass()
|
|
});
|
|
});
|
|
|
|
})
|
|
var userName = getCookie('docker_sso_username');
|
|
if (userName) {
|
|
$('.topmostnav_loggedout').hide();
|
|
$('.topmostnav_loggedin').show();
|
|
$('#logged-in-header-username').text(userName);
|
|
} else {
|
|
$('.topmostnav_loggedout').show();
|
|
$('.topmostnav_loggedin').hide();
|
|
}
|
|
</script>
|
|
</body>
|
|
</html> |