# Docker ## Using https://hub.docker.com/u/armhf/ - `docker run -ti --rm armhf/ubuntu /usr/bin/env bash` https://docs.resin.io/runtime/resin-base-images/ - `docker run -ti --rm resin/rpi-raspbian:jessie /usr/bin/env bash` - `docker run -ti --rm resin/raspberrypi3-alpine-python /usr/bin/env bash` ## Install ```bash echo "overlay" | sudo tee -a /etc/modules sudo modprobe overlay curl -sSL get.docker.com | sh ``` ## User To use as the pi user without `sudo`: ```bash sudo sh -c 'usermod -aG docker $SUDO_USER' sudo systemctl restart docker newgrp docker ``` ## Network Previous 'get.docker.com' command creates override file _/etc/systemd/system/docker.service.d/overlay.conf_ To make docker listen on the network: ```bash sudo sed -e '${s%[[:blank:]]*$% -H tcp://0.0.0.0:2375%;}' -i /etc/systemd/system/docker.service.d/overlay.conf sudo systemctl daemon-reload sudo systemctl try-restart docker ``` ## TLS ```bash sudo mkdir -pv /etc/docker/certs.d/{ca,server,client} # CA: Private key and self-signed cert sudo openssl req \ -nodes \ -keyout /etc/docker/certs.d/ca/ca-key.pem \ -newkey rsa:4096 \ -x509 \ -days 3650 \ -out /etc/docker/certs.d/ca/ca.pem \ -subj "/C=US/CN=$( hostname )" ``` ```bash # Server: Private key and CSR sudo openssl req \ -new \ -newkey rsa:4096 \ -nodes \ -out /etc/docker/certs.d/server/server.csr \ -keyout /etc/docker/certs.d/server/server-key.pem \ -subj "/C=US/CN=$( hostname )" # Server: Cert from CA with home network name and IPs as alt names echo "subjectAltName = DNS:raspberrypi.home,$( for ip in $( ifconfig | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}' ); do echo -n "IP:$ip,"; done | sed 's/,$//' )" | sudo tee /etc/docker/certs.d/server/extfile.cnf sudo openssl x509 \ -req \ -days 3650 \ -in /etc/docker/certs.d/server/server.csr \ -out /etc/docker/certs.d/server/server.pem \ -CA /etc/docker/certs.d/ca/ca.pem \ -CAkey /etc/docker/certs.d/ca/ca-key.pem \ -CAcreateserial \ -extfile /etc/docker/certs.d/server/extfile.cnf sudo rm -v /etc/docker/certs.d/server/server.csr sudo mv -v /etc/docker/certs.srl /etc/docker/certs.d/ca/ca.srl ``` ```bash # Workstation: Private key and CSR sudo openssl req \ -new \ -newkey rsa:4096 \ -nodes \ -out /etc/docker/certs.d/client/cert.csr \ -keyout /etc/docker/certs.d/client/key.pem \ -subj "/C=US/CN=client" # Workstation: Cert from CA; CN not as important b/c workstation docker will not be accepting connections echo "extendedKeyUsage = clientAuth" | sudo tee /etc/docker/certs.d/client/extfile.cnf sudo openssl x509 \ -req \ -days 3650 \ -in /etc/docker/certs.d/client/cert.csr \ -out /etc/docker/certs.d/client/cert.pem \ -CA /etc/docker/certs.d/ca/ca.pem \ -CAkey /etc/docker/certs.d/ca/ca-key.pem \ -CAserial /etc/docker/certs.d/ca/ca.srl \ -extfile /etc/docker/certs.d/client/extfile.cnf sudo rm -v /etc/docker/certs.d/client/cert.csr ``` ```bash sudo find /etc/docker/certs.d/ -mindepth 1 -type f \( -name '*-key.pem' -o -name 'key.pem' \) -exec chmod -c a=,u=r {} \; sudo sed -r -e 's%(tcp://0.0.0.0:237)5%\16%;' -e '${s%[[:blank:]]*$% --tlsverify --tlscacert=/etc/docker/certs.d/ca/ca.pem --tlscert=/etc/docker/certs.d/server/server.pem --tlskey=/etc/docker/certs.d/server/server-key.pem%;}' -i /etc/systemd/system/docker.service.d/overlay.conf sudo systemctl daemon-reload sudo systemctl try-restart docker ``` ```bash mkdir ~/tls/ sudo cp -av \ /etc/docker/certs.d/ca/ca.pem \ /etc/docker/certs.d/client/key.pem \ /etc/docker/certs.d/client/cert.pem \ ~/tls/ sudo chown -cR "$(whoami):$(whoami)" ~/tls/ #From your workstation: scp -r pi@raspberrypi.home:tls ~/.docker ```