Docker Community Forums

Share and learn in the Docker community.

Unable to configure client based access in UCP


(Newbie123) #1

Hi,

I am a newbie to docker.

I have installed UCP successfully using the “production installation” method on port 444 and is able to launch the UI.

docker engine: 1.11.2-cs4
UCP:1.1.2

I read in documentation that “Docker UCP secures your cluster with role-based access control, …when running docker commands on a UCP node, you need to authenticate your request using client certificates.”

However, even after my UCP had been installed successfully, I am still able to run docker commands without prompting for authentication on my UCP nodes. In fact after try to turn on the client authentication (admin cert), I encounter TLS error instead.

Can anyone help advise how I could resolve the issue?

[root@dockertest_cs admin-bundle]# docker ps | grep ucp
e3cea222840b docker/ucp-controller:1.1.2 “/bin/controller serv” 2 days ago Up 47 minutes 0.0.0.0:444->8080/tcp ucp-controller
4cff25f704c0 docker/ucp-auth:1.1.2 "/usr/local/bin/enzi " 2 days ago Up 47 minutes 0.0.0.0:12386->4443/tcp ucp-auth-worker
ca6b1e07bcca docker/ucp-auth:1.1.2 "/usr/local/bin/enzi " 2 days ago Up 47 minutes 0.0.0.0:12385->4443/tcp ucp-auth-api
f3554ac0f223 docker/ucp-auth-store:1.1.2 “rethinkdb --bind all” 2 days ago Up 48 minutes 0.0.0.0:12383-12384->12383-12384/tcp ucp-auth-store
e9065f7f01e0 docker/ucp-cfssl:1.1.2 “/bin/cfssl serve -ad” 2 days ago Up 48 minutes 8888/tcp, 0.0.0.0:12381->12381/tcp ucp-cluster-root-ca
6ce0319a3b61 docker/ucp-cfssl:1.1.2 “/bin/cfssl serve -ad” 2 days ago Up 48 minutes 8888/tcp, 0.0.0.0:12382->12382/tcp ucp-client-root-ca
44d24f2e47e8 docker/ucp-swarm:1.1.2 “/swarm manage --tlsv” 2 days ago Up 48 minutes 0.0.0.0:2376->2375/tcp ucp-swarm-manager
9b0c29c30b91 docker/ucp-swarm:1.1.2 “/swarm join --discov” 2 days ago Up 48 minutes 2375/tcp ucp-swarm-join
24d6474a5a74 docker/ucp-proxy:1.1.2 “/bin/run” 2 days ago Up 48 minutes 0.0.0.0:12376->2376/tcp ucp-proxy
e53644008eb8 docker/ucp-etcd:1.1.2 “/bin/etcd --data-dir” 2 days ago Up 47 minutes 2380/tcp, 4001/tcp, 7001/tcp, 0.0.0.0:12380->12380/tcp, 0.0.0.0:12379->2379/tcp ucp-kv
[root@dockertest_cs admin-bundle]#
[root@dockertest_cs admin-bundle]# eval $(<env.sh)
[root@dockertest_cs admin-bundle]# env | grep -i docker
HOSTNAME=dockertest_cs.localdomain
DOCKER_HOST=tcp://192.168.56.102:444
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/var/tmp/admin-bundle
[root@dockertest_cs admin-bundle]# docker ps
An error occurred trying to connect: Get https://192.168.56.102:444/v1.23/containers/json: Tunnel or SSL Forbidden
[root@dockertest_cs admin-bundle]#


(Vivek Saraswat) #2

The way that UCP authenticates docker commands in the cluster is by the use of the client bundle: ( https://docs.docker.com/ucp/access-ucp/cli-based-access/ ). You can download a bundle which contains certificates that reflect the user’s permissions (admins have access to everything, non-admins only have what they are given via RBAC team labels and default permissions). This can be run on your local shell environment to provide a remote (and authenticated) connection to the UCP cluster.

However, even when UCP is active, you can still execute docker commands directly inside a node without authentication. The way to prevent this is by not giving node credentials to your users, which is a common precaution in a commercial deployment.


(Newbie123) #3

Hi Vivek,

Thanks for the clarification.

Just to add on on my resolution of the “Tunnel or SSL Forbidden” error, it is due to interference from my proxy setting set in my bash profile. Have unset it and the docker authentication proceeds successfully.