1

I am trying to secure client daemon communication on windows by creating a certificate authority (CA).

1

The lab setup shown in the above image is used in the example but it says my lab will be different but I don't know how to find the IP addresses like 10.0.0.10, 10.0.0.11 and 10.0.0.12. I know the node names are docker.exe (client) and dockerd.exe (daemon) but what are their IP addresses?

The default installation puts them on the same host and configures them to communicate over a local IPC socket: //./pipe/docker_engine

It's also possible to configure them to communicate over the network. By default, network communication occurs over an unsecured HTTP socket on port 2375/tcp

I don't know what information in this is relevant or helpful but I need to know the IP addresses of the docker daemon and client.

In answer to the responses I am also writing this: I am following along with the book Docker Deep Dive and I am trying to secure client daemon communication. I am creating a file called extfile.cnf which has the following inside: subjectAltName = DNS:node3,IP=10.0.0.12 extendedKeyUsage = serverAuth

I need to know what to put instead of 10.0.0.12

When I put localhost/127.0.0.1/127.0.0.1:2375/tcp://127.0.0.1:2375 or anything else and then run the command afterwards which is this:

openssl x509 -req -days 730 -sha256 -in daemon.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out daemon-cert.pem -extfile extfile.cnf

The error is:

x509: Error on line 1 of config file "extfile.cnf" 7C0A0000:error:07000065:configuration file routines:def_load_bio:missing equal sign:crypto\conf\conf_def.c:511:HERE--> ■sline 1

Michael93
  • 109
  • 1
  • 12
  • i dont know if this is helpful , but there is `host.docker.internal` [DNS](https://docs.docker.com/desktop/windows/networking/#use-cases-and-workarounds) i think it can be helpful . – George Dec 22 '21 at 07:51
  • Under Linux it i communicating via non-networking UNIX Socket. A solution for secure communication with CA would be described at https://docs.docker.com/engine/security/protect-access/ . But the .exe tells me you running under Windows. I am not sure how it works there, but I estimate that default is daemon is serving at ```tcp://localhost:2375``` with TLS enabled. There is also the possibility to add certs to this. The host-IP is changing (or even no IP) and as George pointed out reachable via ```host.docker.internal``` what resolves to the host. What exactly do you want to achieve? – araisch Dec 22 '21 at 08:11
  • 1
    These IP addresses are all internal details and you almost never need to know them. The only time you'd use them at all is making connections between containers, and there Docker provides an internal DNS system so the container names can be used as host names. – David Maze Dec 22 '21 at 11:57
  • 1
    The Docker daemon should almost never be network-accessible, unless you're absolutely sure you know what you're doing and you're absolutely sure the TLS certificates are set up correctly. Anyone who can access the Docker socket can pretty trivially root the host and you really don't want that visible over the network. If you can connect to port 2375 and run Docker commands, that's a major security problem. – David Maze Dec 22 '21 at 11:58
  • I have ammended the question to answer everything above, thankyou. Also I forgot to write host.docker.internal returns an unrecognised error. – Michael93 Dec 23 '21 at 05:26

0 Answers0