TLS over context

abdelazizsharaf · September 9, 2022, 8:52pm

Issue type:

Security - TLS/context

OS Version/build:

Ubuntu 22.04.1 LTS

App version:

docker-ce: Docker version 20.10.17, build 100c701
docker-compose-plugin: Docker Compose version v2.4.1
swarn mode: inactive
tested on: docker-on-docker (docker:dind)

description

Trying to start a tls connection using docker command line args is successiful
Trying to configure context for tls is failing

Steps to reproduce:

Start two docker-in-docker containers (dind)
- make sure port 2376 is exposed to network from the one acting as server
```
# client
docker run -d --privileged --name=dinder docker:dind;
# server
docker run --rm --privileged --name=dind --expose 2376 docker:dind;
```
- make sure the configuration is done

get containers ip

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -aq);
# 172.17.0.2 # dind
# 172.17.0.3 # dinder

start sh shell inside every container

# every command in separate shell
docker exec -it dind sh;
docker exec -it dinder sh;

view and copy contensts of ca files

# client ... server
/certs/client/ca.pem ... ca.pem
/certs/client/cert.pem .. cert.pem
/certs/client/key.pem ... key.pem

Try listing images and pulling from inside client from both containers

## >>> inside client
docker images;
# REPOSITORY   TAG       IMAGE ID       CREATED       SIZE

## >>> inside server
docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
# REPOSITORY   TAG       IMAGE ID       CREATED       SIZE...

docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem pull alpine;
# ...

  docker -H 172.17.0.2:2376 --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
# REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
# alpine       latest    9c6f07244728   4 weeks ago   5.54MB

docker images;
# REPOSITORY   TAG       IMAGE ID       CREATED       SIZE...

## >>> inside client
docker images;
# REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
# alpine       latest    9c6f07244728   4 weeks ago   5.54MB

# make sure which ip is for the client
ip a;
# ...  inet 172.17.0.2/16 ...

try using context

# setup context
docker context create web --description "dind server via web interface" --docker="host=tcp://172.17.0.2:2376";
docker context use web;

# verify context working
docker context ls;
# NAME      ... DOCKER ENDPOINT ...
# default      ... unix:///var/run/docker.sock ...
# web *        ... tcp://172.17.0.2:2376

## >>> error reproduced
docker images;
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
# Error response from daemon: Client sent an HTTP request to an HTTPS server.

# get TLS storage path
docker context inspect -f '{{.Storage.TLSPath}}' web;
# /root/.docker/contexts/tls/..

ls /root/.docker/contexts/tls/
# ls: ...: No such file or directory

# create TLS storage dir
mkdir /root/.docker/contexts/tls/
mkdir /root/.docker/contexts/tls/...

# copy certs to TLS storage path
cp *.pem /root/.docker/contexts/tls/.../

## >>> error reproduced again
docker images;
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem images;
# Error response from daemon: Client sent an HTTP request to an HTTPS server.

Notes:

I notice this field in context inspect but don’t understand how to configuer it
```
"TLSMaterial": {},
```
I used this run dind container and every thing is going well with no tls on port 2375
but this is not secure
```
-e DOCKER_TLS_CERTDIR=""
```
docker contect is needed so one could use compose / swarn / k8 normally with tls connection and no need for setting it with every command
I may be missing reloading certs ! and also I don’t understand how to do so

Questions

How to set up context to use TLS by default in with a correct manner ?
Is it available to set it up to run with any ORCHESTRATOR with no further configuration ?

meyay · September 10, 2022, 7:18pm

A forum search for “docker context tls” brought me to a thread with an old post of mine: How do you create a context for a remote tls daemon? - #3 by meyay

Just follow the example and replace the windows paths from the example with your linux paths.

abdelazizsharaf · September 11, 2022, 10:16am

Thanks that’s what I was missing
All the configuration appeared in the inspect and certs copied to tls path as well

docker context inspect web;
#        "TLSMaterial": {
#            "docker": [
#                "ca.pem",
#                "cert.pem",
#                "key.pem"
#            ]
#        },
#        "Storage": {
#            "MetadataPath": "/root/.docker/contexts/meta/...",
#            "TLSPath": "/root/.docker/contexts/tls/..."
#        }
#    }
#]

ls /root/.docker/contexts/tls/.../docker
# ca.pem    cert.pem  key.pem

Thanks a lot @meyay for both comments

rimelek · September 23, 2022, 12:59pm

I moved the topic from “Tips & Howtos” to “Open Source Projects » DockerEngine”. Please, keep the “Tips & Howtos” category for actual tips and find a proper category for questions. Thank you!

Now you can also mark @meyay’s post as solution, since that button appears in this category but not in Tips & Howtos nor in General descussion.

abdelazizsharaf · September 23, 2022, 9:02pm

Thanks and excuse me as I’m relatively new I picked the most near catagory of what I know but having a solution button is great

Topic		Replies	Views
How do you create a context for a remote tls daemon? General docker	5	3245	November 7, 2021
Does anyone have a working example of docker-compose within docker-dind? General docker	1	2108	March 29, 2021
Daemon.json file ignored General	1	223	July 19, 2024
Enabling docker engine TLS with a container that needs to issue docker-client commands? General docker	2	5296	May 14, 2016
Docker behing transparent proxy and intermediate cert General dockerhub , docker	4	3870	May 16, 2019