2

If DOCKER_TLS_VERIFY, DOCKER_HOST and DOCKER_CERT_PATH are not set on Ubuntu, what are the defaults to export the vars by myself (I'm not using Docker Machine)?

ps aux | grep "docker daemon"

returns this:

root       1828  2.4  0.5 764036 44804 ?        Ssl  21:32   0:01 /usr/bin/docker daemon --raw-logs
alexzei+   6557  0.0  0.0  15948  2268 pts/15   S+   21:33   0:00 grep --color=auto docker daemon
Alexander Zeitler
  • 11,919
  • 11
  • 81
  • 124

3 Answers3

7

The default values are unset and the docker cli defaults to using /var/run/docker.sock and/or systemd. However, from your comment to ldg, you have an app that requires these to be set, which would indicate that it wants you to configure TLS on your host for remote access. Here are the steps to configure the TLS keys:

Setup CA

# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
  # make sure to set CN

Server certificate

# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
  --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
  --tlskey=/etc/docker/myserver-key.pem

You'll need to update your OS startup script for Docker to have the above in it (-H unix:/var/run/docker.sock would be used in place of -H fd:// if you don't have systemd).

Client certificate

In ".docker" you can add: "ca.pem, key.pem, cert.pem" and then export DOCKER_TLS_VERIFY=1

# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
  --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
  -H=tcp://127.0.0.1:2376 info`

Then DOCKER_CERT_PATH would be the folder with your certificates, e.g. /home/user/.docker.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • I've set DOCKER_CERT_PATH to the directory where all the certificates exist . Have also set DOCKER_HOST, DOCKER_TLS_VERIFY values but still when I execute docker commands , the certificate is expected. Anything else I should verify ? I've also tried restarting docker-daemon and docker – explorer Mar 30 '21 at 19:18
5

Use export DOCKER_TLS_VERIFY="1" export DOCKER_HOST="tcp://0.0.0.0:2376" export DOCKER_CERT_PATH="/etc/docker/server.pem"

You can find out the values on your system using

ps aux | grep "docker daemon"

For instance, in my case I get root 25161 0.0 1.8 545784 38496 ? Ssl 07:11 0:00 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2

You may however have to use sudo to run docker

sudo docker ps

Bernard
  • 16,149
  • 12
  • 63
  • 66
4

You could try this:

If you are working with applications like Apache Maven that expect settings for DOCKER_HOST and DOCKER_CERT_PATH environment variables, specify these to connect to Docker instances through Unix sockets. For example:

export DOCKER_HOST=unix:///var/run/docker.sock

ldg
  • 9,112
  • 2
  • 29
  • 44