Skip to content

Instantly share code, notes, and snippets.

@fallewi

fallewi/secure-docker-daemon.sh

Forked from ozlerhakan/secure-docker-daemon.sh
Created October 5, 2020 14:04
Show Gist options
  • Save fallewi/4ab15d4c6b2f71f205f579b613f7f005 to your computer and use it in GitHub Desktop.
Save fallewi/4ab15d4c6b2f71f205f579b613f7f005 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @ozlerhakan ozlerhakan revised this gist Mar 27, 2017. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion secure-docker-daemon.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -44,7 +44,9 @@
    # export DOCKER_HOST="tcp://0.0.0.0:2376"
    # export DOCKER_CERT_PATH="/home/hakan/.docker"

    set -e
    set -eu

    #set -x ; debugging

    cd ~
    echo "you are now in $PWD"
  2. @ozlerhakan ozlerhakan renamed this gist Mar 25, 2017. 1 changed file with 0 additions and 0 deletions.
    0 Secure your Docker Daemon → secure-docker-daemon.sh
    View file
    File renamed without changes.
  3. @ozlerhakan ozlerhakan revised this gist Mar 16, 2017. 1 changed file with 3 additions and 8 deletions.
    11 changes: 3 additions & 8 deletions Secure your Docker Daemon
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,5 @@
    #!/bin/bash
    #
    # SETTING UP DOCKER SERVER CERTIFICATES
    #
    # Docker Daemon varsayilan olarak ag iletisimi olmadan
    # sadece Unix socket uzerinden calismaktadir.
    # Docker Client ve Daemon arasinda HTTPS uzerinden
    @@ -40,14 +38,11 @@
    # --tlskey=key.pem \
    # -H localhost:2376 info
    #
    # veya
    #
    # 2. DOCKER_HOSTS ortam degiskenlerini kullanmak:
    # 2. DOCKER ortam degiskenlerini kullanmak:
    #
    # export DOCKER_TLS_VERIFY="1"
    # export DOCKER_HOST="tcp://0.0.0.0:2376"
    # export DOCKER_CERT_PATH="/home/hakan/.docker"
    #

    set -e

    @@ -56,7 +51,7 @@ echo "you are now in $PWD"

    if [ ! -d ".docker/" ]
    then
    echo "Directory ./docker/ does not exists."
    echo "Directory ./docker/ does not exist"
    echo "Creating the directory"
    mkdir .docker
    fi
    @@ -73,7 +68,7 @@ openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048

    # Sign the the previously created CA key with your password and address for a period of one year.
    # i.e. generating a self-signed certificate for CA
    # X.509 is a standard that defines the format of public key certificates fixed size 256-bit (32-byte) hash
    # X.509 is a standard that defines the format of public key certificates, with fixed size 256-bit (32-byte) hash
    openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$PASSWORD -sha256 -out ca.pem -subj "/C=TR/ST=./L=./O=./CN=$SERVER"

    # Generating a server key with 2048-bit security
  4. @ozlerhakan ozlerhakan created this gist Mar 15, 2017.
    112 changes: 112 additions & 0 deletions Secure your Docker Daemon
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,112 @@
    #!/bin/bash
    #
    # SETTING UP DOCKER SERVER CERTIFICATES
    #
    # Docker Daemon varsayilan olarak ag iletisimi olmadan
    # sadece Unix socket uzerinden calismaktadir.
    # Docker Client ve Daemon arasinda HTTPS uzerinden
    # guvenli iletisimin kurulmasi icin TLS aktif hale getirilmelidir.
    # Client ve Server/daemon arasindaki guvenli iletisim agi
    # icin gereken client ve server sertifikasyonlarini
    # olusturmaliyiz.
    #
    # Configure and run Docker:
    #
    # https://docs.docker.com/engine/admin/
    #
    # Docker daemon varsayilan servis yapisini ezmek icin
    # /etc/systemd/system/ altinda docker.service.d dosyasi
    # yaratilarak override.conf drop-in dosyasi olusturuluyor.
    # Bu dosyanin calistirilmasiyla olusan sertifikalardan
    # server anahtarlarini servis tarafinda TLS guvenligini acarak
    # belirtmemiz gerekiyor.
    #
    # $ pwd
    # /etc/systemd/system/docker.service.d
    # $ vim override.conf
    # [Service]
    # ExecStart=
    # ExecStart=/usr/bin/dockerd -D -H unix:///var/run/docker.sock --tlsverify --tlscert=~/.docker/server-cert.pem --tlscacert=~/.docker/ca.pem --tlskey=~/.docker/server-key.pem -H tcp://0.0.0.0:2376
    #
    #
    # TLS aktif olan Docker daemon'a guvenli erisim saglamanin 2 yolu vardir
    #
    # 1. Docker client uzerinden gerekli secenekleri kullanmak:
    #
    # $ docker \
    # --tlsverify \
    # --tlscacert=ca.pem \
    # --tlscert=cert.pem \
    # --tlskey=key.pem \
    # -H localhost:2376 info
    #
    # veya
    #
    # 2. DOCKER_HOSTS ortam degiskenlerini kullanmak:
    #
    # export DOCKER_TLS_VERIFY="1"
    # export DOCKER_HOST="tcp://0.0.0.0:2376"
    # export DOCKER_CERT_PATH="/home/hakan/.docker"
    #

    set -e

    cd ~
    echo "you are now in $PWD"

    if [ ! -d ".docker/" ]
    then
    echo "Directory ./docker/ does not exists."
    echo "Creating the directory"
    mkdir .docker
    fi

    cd .docker/
    echo "type in your certificate password (characters are not echoed)"
    read -p '>' -s PASSWORD

    echo "Type in the server name you’ll use to connect to the Docker server"
    read -p '>' SERVER

    # 256bit AES (Advanced Encryption Standard) is the encryption cipher which is used for generating certificate authority (CA) with 2048-bit security.
    openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048

    # Sign the the previously created CA key with your password and address for a period of one year.
    # i.e. generating a self-signed certificate for CA
    # X.509 is a standard that defines the format of public key certificates fixed size 256-bit (32-byte) hash
    openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$PASSWORD -sha256 -out ca.pem -subj "/C=TR/ST=./L=./O=./CN=$SERVER"

    # Generating a server key with 2048-bit security
    openssl genrsa -out server-key.pem 2048

    # Generating a certificate signing request (CSR) for the the server key with the name of your host.
    openssl req -new -key server-key.pem -subj "/CN=$SERVER" -out server.csr

    # Sign the key with your password for a period of one year
    # i.e. generating a self-signed certificate for the key
    openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem

    # For client authentication, create a client key and certificate signing request
    # Generate a client key with 2048-bit security
    openssl genrsa -out key.pem 2048
    # Process the key as a client key.
    openssl req -subj '/CN=client' -new -key key.pem -out client.csr

    # To make the key suitable for client authentication, create an extensions config file:
    sh -c 'echo "extendedKeyUsage = clientAuth" > extfile.cnf'

    # Sign the (public) key with your password for a period of one year
    openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile extfile.cnf

    echo "Removing unnecessary files i.e. client.csr extfile.cnf server.csr"
    rm ca.srl client.csr extfile.cnf server.csr

    echo "Changing the permissions to readonly by root for the server files."
    # To make them only readable by you:
    chmod 0400 ca-key.pem key.pem server-key.pem

    echo "Changing the permissions of the client files to read-only by everyone"
    # Certificates can be world-readable, but you might want to remove write access to prevent accidental damage
    # these are all x509 certificates aka public key certificates
    # X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS.
    chmod 0444 ca.pem server-cert.pem cert.pem