Last active
December 22, 2015 08:30
-
-
Save jpetazzo/6445323 to your computer and use it in GitHub Desktop.
Revisions
-
jpetazzo revised this gist
Oct 21, 2013 . 1 changed file with 3 additions and 74 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,76 +1,5 @@ I've moved this information to my blog: http://jpetazzo.github.io/2013/10/20/secure-connection-docker-api/ The old version is available in the history if needed. Thank you! -
Sep 5, 2013 . 1 changed file with 47 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,37 +1,76 @@ # Secure Docker in the wild Here is a crude recipe to put `socat` in front of the Docker API. `socat` will accept HTTPS connections, make sure that the client shows an appropriate certificate, and relay the connection to the UNIX socket. ## First things first ```bash apt-get install socat ``` ## Generate key and certificate ```bash openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -x509 -out cert.pem -days 36525 -subj /CN=WoopWoop/ ``` This will generate a 2048 bits RSA key in `key.pem`, and a self-signed certificate in `cert.pem`, valid 10 years. Copy both `key.pem` and `cert.pem` on client and server. ## On server (running Docker) ```bash socat \ OPENSSL-LISTEN:4321,fork,reuseaddr,cert=cert.pem,cafile=cert.pem,key=key.pem \ UNIX:/var/run/docker.sock ``` `fork` means that `socat` will fork a new child process for each incoming connection (instead of handling only one connection and exiting right away). `reuseaddr` is a useful socket option, so that if you exit and restart socat, it won't tell you that the address is already taken. By default, OPENSSL connections made with `socat` require the other end to show a valid certificate; unless you add `verify=0`. In that case, we want to encrypt connections *and* check certificates (to deny unauthorized clients), so the defaults are good. ## On client (running e.g. Docker CLI) ```bash socat \ UNIX-LISTEN:/tmp/docker.sock,fork \ OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem ``` Very symmetrical. Now you can point your Docker CLI like this: ```bash docker -H unix:///tmp/docker.sock run -t -i busybox sh ``` ## On client (using an HTTP client API) ```bash socat \ TCP-LISTEN:4321,bind=127.0.0.1,fork \ OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem ``` The Docker API is then available on `http://127.0.0.1:4321`. Enjoy! -
Sep 5, 2013 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,37 @@ # Secure Docker in the wild ## Generate key and certificate ```bash openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -x509 -out cert.pem -days 36525 -subj /CN=WoopWoop/ ``` Copy `key.pem` and `cert.pem` on client and server. ## On server ```bash socat OPENSSL-LISTEN:4321,fork,reuseaddr,cert=cert.pem,cafile=cert.pem,key=key.pem UNIX:/var/run/docker.sock ``` ## On client, using UNIX socket ```bash socat UNIX-LISTEN:/tmp/docker.sock,fork OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem ``` Now you can point your Docker CLI like this: ```bash docker -H unix:///tmp/docker.sock run -t -i busybox sh ``` ## On client, using TCP socket ```bash socat TCP-LISTEN:4321,bind=127.0.0.1,fork OPENSSL:$SERVERADDR:4321,cert=cert.pem,cafile=cert.pem,key=key.pem ``` The Docker API is then available on `http://127.0.0.1:4321`.