DOCKER_TLS_VERIFY, DOCKER_HOST, and DOCKER_CERT_PATH on Ubuntu

Alexander Zeitler picture Alexander Zeitler · Jul 9, 2016 · Viewed 13.9k times · Source

If DOCKER_TLS_VERIFY, DOCKER_HOST and DOCKER_CERT_PATH are not set on Ubuntu, what are the defaults to export the vars by myself (I'm not using Docker Machine)?

ps aux | grep "docker daemon"

returns this:

root       1828  2.4  0.5 764036 44804 ?        Ssl  21:32   0:01 /usr/bin/docker daemon --raw-logs
alexzei+   6557  0.0  0.0  15948  2268 pts/15   S+   21:33   0:00 grep --color=auto docker daemon

Answer

BMitch picture BMitch · Jul 22, 2016

The default values are unset and the docker cli defaults to using /var/run/docker.sock and/or systemd. However, from your comment to ldg, you have an app that requires these to be set, which would indicate that it wants you to configure TLS on your host for remote access. Here are the steps to configure the TLS keys:

Setup CA

# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
  # make sure to set CN

Server certificate

# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
  --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
  --tlskey=/etc/docker/myserver-key.pem

You'll need to update your OS startup script for Docker to have the above in it (-H unix:/var/run/docker.sock would be used in place of -H fd:// if you don't have systemd).

Client certificate

In ".docker" you can add: "ca.pem, key.pem, cert.pem" and then export DOCKER_TLS_VERIFY=1

# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
  --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
  -H=tcp://127.0.0.1:2376 info`

Then DOCKER_CERT_PATH would be the folder with your certificates, e.g. /home/user/.docker.