TLS over context

Issue type:

Security - TLS/context

OS Version/build:

Ubuntu 22.04.1 LTS

App version:

  • docker-ce: Docker version 20.10.17, build 100c701
  • docker-compose-plugin: Docker Compose version v2.4.1
  • swarn mode: inactive
  • tested on: docker-on-docker (docker:dind)

description

  • Trying to start a tls connection using docker command line args is successiful
  • Trying to configure context for tls is failing

Steps to reproduce:

  • Start two docker-in-docker containers (dind)
    • make sure port 2376 is exposed to network from the one acting as server
    # client
    docker run -d --privileged --name=dinder docker:dind;
    # server
    docker run --rm --privileged --name=dind --expose 2376 docker:dind;
    
    • make sure the configuration is done
  • get containers ip
    docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -aq);
    # 172.17.0.2 # dind
    # 172.17.0.3 # dinder
    
  • start sh shell inside every container
    # every command in separate shell
    docker exec -it dind sh;
    docker exec -it dinder sh;
    
  • view and copy contensts of ca files
    # client ... server
    /certs/client/ca.pem ... ca.pem
    /certs/client/cert.pem .. cert.pem
    /certs/client/key.pem ... key.pem
    
  • Try listing images and pulling from inside client from both containers
    ## >>> inside client
    docker images;
    # REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
    
    ## >>> inside server
    docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
    # REPOSITORY   TAG       IMAGE ID       CREATED       SIZE...
    
    docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem pull alpine;
    # ...
    
      docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
    # REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
    # alpine       latest    9c6f07244728   4 weeks ago   5.54MB
    
    docker images;
    # REPOSITORY   TAG       IMAGE ID       CREATED       SIZE...
    
    ## >>> inside client
    docker images;
    # REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
    # alpine       latest    9c6f07244728   4 weeks ago   5.54MB
    
    # make sure which ip is for the client
    ip a;
    # ...  inet 172.17.0.2/16 ...
    
  • try using context
    # setup context
    docker context create web --description "dind server via web interface" --docker="host=tcp://172.17.0.2:2376";
    docker context use web;
    
    # verify context working
    docker context ls;
    # NAME      ... DOCKER ENDPOINT ...
    # default      ... unix:///var/run/docker.sock ...
    # web *        ... tcp://172.17.0.2:2376
    
    ## >>> error reproduced
    docker images;
    docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
    # Error response from daemon: Client sent an HTTP request to an HTTPS server.
    
    # get TLS storage path
    docker context inspect -f '{{.Storage.TLSPath}}' web;
    # /root/.docker/contexts/tls/..
    
    ls /root/.docker/contexts/tls/
    # ls: ...: No such file or directory
    
    # create TLS storage dir
    mkdir /root/.docker/contexts/tls/
    mkdir /root/.docker/contexts/tls/...
    
    # copy certs to TLS storage path
    cp *.pem /root/.docker/contexts/tls/.../
    
    ## >>> error reproduced again
    docker images;
    docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
    # Error response from daemon: Client sent an HTTP request to an HTTPS server.
    

Notes:

  1. I notice this field in context inspect but don’t understand how to configuer it

    "TLSMaterial": {},
    
  2. I used this run dind container and every thing is going well with no tls on port 2375
    but this is not secure

    -e DOCKER_TLS_CERTDIR=""
    
  3. docker contect is needed so one could use compose / swarn / k8 normally with tls connection and no need for setting it with every command

  4. I may be missing reloading certs ! and also I don’t understand how to do so

Questions

  • How to set up context to use TLS by default in with a correct manner ?
  • Is it available to set it up to run with any ORCHESTRATOR with no further configuration ?

A forum search for “docker context tls” brought me to a thread with an old post of mine: How do you create a context for a remote tls daemon? - #3 by meyay

Just follow the example and replace the windows paths from the example with your linux paths.

1 Like

Thanks that’s what I was missing
All the configuration appeared in the inspect and certs copied to tls path as well

docker context inspect web;
#        "TLSMaterial": {
#            "docker": [
#                "ca.pem",
#                "cert.pem",
#                "key.pem"
#            ]
#        },
#        "Storage": {
#            "MetadataPath": "/root/.docker/contexts/meta/...",
#            "TLSPath": "/root/.docker/contexts/tls/..."
#        }
#    }
#]

ls /root/.docker/contexts/tls/.../docker
# ca.pem    cert.pem  key.pem

Thanks a lot @meyay for both comments

1 Like

I moved the topic from “Tips & Howtos” to “Open Source Projects » DockerEngine”. Please, keep the “Tips & Howtos” category for actual tips and find a proper category for questions. :slight_smile: Thank you!

Now you can also mark @meyay’s post as solution, since that button appears in this category but not in Tips & Howtos nor in General descussion.

1 Like

Thanks and excuse me as I’m relatively new I picked the most near catagory of what I know but having a solution button is great

1 Like