Sunday, July 18, 2021

How to use Docker Engine API securely

How to use Docker Engine API securely 


The Engine API is an HTTP API served by the Docker Engine. It’s the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can also be done with the API.


n order to use the Docker Engine API, a TCP socket must be enabled when the engine daemon starts. By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock. However, we can configure the daemon to listen to multiple sockets at the same time using multiple -H options:


dockerd -H unix:///var/run/docker.sock -H tcp://192.168.1.100:2375


the daemon will open two sockets: a unix domain socket, at /var/run/docker.sock, and a TCP socket listening on the 2375 TCP port for the 192.168.1.100 interface. By convention, 2375 TCP and 2376 TCP ports should be used for un-encrypted and encrypted connections, respectively.


On systemd based GNU/Linux distributions we can enable the engine API by creating the /etc/systemd/system/docker.service.d/override.conf file with the following contents:

[Service]



ExecStart=


ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

With -H fd:// we enable the support to establish the communication with the daemon via Systemd socket activation. Also, with -H tcp://0.0.0.0:2375, the daemon will open a TCP socket listening on 2375 TCP port for all system interfaces. Moreover, we had to explicitly clear ExecStart before setting it again, as it is an additive setting and can have multiple entries.


Then, we must execute the following command to reload the configuration of the systemd units:



sudo systemctl daemon-reload

As the last step, the service must be restarted:


sudo systemctl restart docker.service


Securing the API


We can configure a secured TLS connection using self-signed certificates.


The overall procedure is this 


  1. Obtain the cert to use , associate the domain as require to the cert 
  2. Configure the demon to use the certificate 
  3. Make the connection from client using this cert 


Configuring demon to use this cert is like below 


[Service]



ExecStart=


ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/etc/ssl/certs/ca.pem --tlscert=/etc/ssl/certs/server-cert.pem --tlskey=/etc/ssl/private/server-key.pem


References:

https://medium.com/trabe/using-docker-engine-api-securely-584e0882158e

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)