Patrick de Ruiter
22d78bf85c
- Remove ansible/ from .gitignore - Add vault_agent role (copied from terraform-vsphere-infra) - Add vault_agent-playbook.yml for deployment - Include ansible collections (cloud.terraform, ansible.posix, etc.) - Archive consul_template role as consul_template-legacy The ansible directory contains the vault-agent deployment automation that replaces the legacy consul-template approach.
3.3 KiB
The default values are unset and the docker cli defaults to using /var/run/docker.sock and/or systemd. However, from your comment to ldg, you have an app that requires these to be set, which would indicate that it wants you to configure TLS on your host for remote access. Here are the steps to configure the TLS keys: Setup CA
work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
make sure to set CN
Server certificate
generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify
--tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem
--tlskey=/etc/docker/myserver-key.pem
You'll need to update your OS startup script for Docker to have the above in it (-H unix:/var/run/docker.sock would be used in place of -H fd:// if you don't have systemd). Client certificate
In ".docker" you can add: "ca.pem, key.pem, cert.pem" and then export DOCKER_TLS_VERIFY=1
create a client key pair
openssl genrsa -out client-key.pem 2048
generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out client-cert.pem -extfile extfile.cnf
test client with
docker --tlsverify
--tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem
-H=tcp://127.0.0.1:2376 info`
Then DOCKER_CERT_PATH would be the folder with your certificates, e.g. /home/user/.docker. Share Improve this answer Follow answered Jul 22, 2016 at 20:59 BMitch's user avatar BMitch 243k4444 gold badges504504 silver badges468468 bronze badges
I've set DOCKER_CERT_PATH to the directory where all the certificates exist . Have also set DOCKER_HOST, DOCKER_TLS_VERIFY values but still when I execute docker commands , the certificate is expected. Anything else I should verify ? I've also tried restarting docker-daemon and docker –
explorer
Mar 30, 2021 at 19:18
Add a comment 6
Use export DOCKER_TLS_VERIFY="1" export DOCKER_HOST="tcp://0.0.0.0:2376" export DOCKER_CERT_PATH="/etc/docker/server.pem"
You can find out the values on your system using
ps aux | grep "docker daemon"
For instance, in my case I get root 25161 0.0 1.8 545784 38496 ? Ssl 07:11 0:00 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2
You may however have to use sudo to run docker
sudo docker ps