Use HTTP connection to control docker (使用HTTP連線)

• ###Use case (command line mode)
• ###for docekrode (controled by node.js)

Reference

https://docs.docker.com/articles/https/

Question:

如何使用dockerode做到?

Tools

• ###cUrl (for test)

Reference:

• #####cURL command line tutorial #####http://blog.masterstudio101.com/2013/05/12/cURL%20%E6%8C%87%E4%BB%A4%E6%95%99%E5%AD%B8%20%28cURL%20command%20how-to%29

Daemon socket option

Purpose:

Access the Docker daemon remotely by tcp Socket.

The docker daemon can listen for Docker Remote API requestvia three different types of Socket: unix, tcp, and fd.

Runing Docker with https

Reference:

https://docs.docker.com/articles/https/

1st: install OPENSSL (if need)

2nd: create ca-key.pem (CA, certificate authority)

$ echo 01 > ca.srl

$ openssl genrsa -des3 -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem
Enter pass phrase for ca-key.pem:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:TW
 State or Province Name (full name) [Some-State]:Taiwan
 Locality Name (eg, city) []:Taichung
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:wuderks
 Organizational Unit Name (eg, section) []:agilearning
 Common Name (e.g. server FQDN or YOUR name) []:localhost */this is for test/*
 Email Address []:Sven@home.org.a

3rd: create server key

$ openssl genrsa -des3 -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................................+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:

$ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:

4th: use own CA to sign the (server) key

$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

5th: create client key and signing it

$ openssl genrsa -des3 -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:

6nd: create an extensions config file

$ echo extendedKeyUsage = clientAuth > extfile.cnf

7nd: sign the (client) key

$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

8nd: need to remove the passphrase from the client and server key

$ openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key

$ openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key

Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by our CA (啟動server端的docker, 之後client需要用CA才能操作):

$ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376

this command is for server side, run docker container

啟動後，client端如果登入，預設用root操作docker，請保護好你的CA

Warning: As shown in the example above, you don't have to run the docker client with sudo or the docker group when you use certificate authentication. That means anyone with the keys can give any instructions to your Docker daemon, giving them root access to the machine hosting the daemon. Guard these keys as you would a root password!

如果要在local端測試這份教學，可以打開兩個terminal, 一個terminal當作sever side, 執行上面的那行指令。 另一個terminal執行下面的指令。

To be able to connect to Docker and validate its certificate, you now need to provide your client keys, certificates and trusted CA:

$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=dns-name-of-docker-host:2376 version

This command is for client side to provide client key to server

Note: Docker over TLS should run on TCP port 2376.

Warning: As shown in the example above, you don't have to run the docker client with sudo or the docker group when you use certificate authentication. That means anyone with the keys can give any instructions to your Docker daemon, giving them root access to the machine hosting the daemon. Guard these keys as you would a root password!

Connecting to the Secure Docker port using curl

To use curl to make test API requests, you need to use three extra command line flags:

$ curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json`

這行指令僅供測試用

Reference:

• ####What's TLS ?

https://zh.wikipedia.org/wiki/%E5%82%B3%E8%BC%B8%E5%B1%A4%E5%AE%89%E5%85%A8%E5%8D%94%E8%AD%B0

• ####What's CA(certificate authority) ?

http://godleon.blogspot.tw/2007/05/ca-certificate-certificate.html

• ####How to create my own CA ?

https://workaround.org/certificate-authority