Docker Community Forums

Share and learn in the Docker community.

Unable to secure daemon


(Sakib37) #1

I have very limited knowledge about TLS certification. I wanted to enable https for docker daemon. I followed this tutorial but at the end failed to start docker daemon.

I am using docker in a Ubuntu 16.04 VM and my client and server is the same machine. So I use the $hostname as the ‘Common Name’ during all the process.

After following the whole process is docker documentation when I run
’sudo dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376’

I get the INFO log that “API listen on [::]:2376”. When I use the below command
"docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version"
I get proper response.

But when I reload the daemon and try to start docker it says failed to start docker and give the following message-

“Job for docker.service failed because the control process exited with error code. See “systemctl status docker.service” and “journalctl -xe” for details.”

Output of ‘journalctl -xe’ is-
Nov 18 00:52:41 Thesis systemd[1]: Starting Docker Application Container Engine…
– Subject: Unit docker.service has begun start-up
– Defined-By: systemd
– Support:

– Unit docker.service has begun starting up.
Nov 18 00:52:41 Thesis dockerd[10111]: time=“2016-11-18T00:52:41.903233696+01:00” level=fatal msg="Error starting daemon: pid file f
Nov 18 00:52:41 Thesis systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE
Nov 18 00:52:41 Thesis systemd[1]: Failed to start Docker Application Container Engine.
– Subject: Unit docker.service has failed
– Defined-By: systemd
– Support:

– Unit docker.service has failed.

– The result is failed.
Nov 18 00:52:41 Thesis systemd[1]: docker.service: Unit entered failed state.
Nov 18 00:52:41 Thesis systemd[1]: docker.service: Failed with result ‘exit-code’.
Nov 18 00:52:41 Thesis polkitd(authority=local)[965]: Unregistered Authentication Agent for unix-process:10058:1198680 (system bus n

I copied the necessary certificate to ~/.docker/ and the ‘ExecStart’ in my /lib/systemd/system/docker.service file is -

ExecStart=/usr/bin/dockerd -H fd:// -H 0.0.0.0:2376
–tlsverify --tlscacert=/home/sakib/.docker/ca.pem
–tlskey=/home/sakib/.docker/key.pem
–tlscert=/home/sakib/.docker/cert.pem


(David Maze) #2

You don’t need to (and shouldn’t) enable network access to the Docker daemon. It is a major security risk.

If you don’t add a -H option to the Docker daemon, and don’t set the DOCKER_HOST environment variable, then the Docker daemon will listen on a machine-local Unix socket (in /var/run/docker.sock), and the docker command-line tool and standard libraries will expect to connect to that socket. You might need to use sudo to access the socket, or if it’s owned by some group, add yourself to that group (in Ubuntu there is typically a docker group).

Remember: everyone who can access the Docker socket has unrestricted root access to the host system. (In your case that’s the VM running Docker.)


(Sakib37) #3

Hi Dmaze,

Thank you for your reply. I am aware of the risk but I need to access the remote api offered by the docker daemon. I am developing an application that will use docker API to do some task. I will not use the docker daemon from CLI actually. I will use the daemon by calling docker API 1.24. Temporarily I am doing it in the same VM but in future my docker daemon and the application will not be in the same geographical location. So it is actually required for me. Please let me know if you have any idea why this is failing. Thank you.


(David Maze) #4

All of the standard Docker libraries understand the DOCKER_HOST environment variable and know how to talk to the Unix socket. I highly recommend using one of those.

If you must speak raw HTTP, the sequence for connecting to a Unix socket is almost the same as connecting to a TCP socket.

Requiring that a user of your application open network-visible unrestricted root-level access to the host system isn’t really acceptable, especially when Docker has provided a good alternative.

Have you looked at existing orchestration layers like Docker Swarm, Amazon ECS, or Hashicorp’s Nomad?

Or, have you considered using a standard ssh connection to the host to run normal docker commands, or using a tool like Ansible that can do this on its own?

Anyone who can access the remote Docker socket has unrestricted root level access over your system.


(Sakib37) #5

If you must speak raw HTTP, the sequence for connecting to a Unix socket is almost the same as connecting to a TCP socket

Based on this if I call the docker API using tcp to my amazon EC2 docker host as below-

tcp://DOCKER_HOST:2376/images/json

will it be successful? I actually never saw using ‘tcp’ to call remote api.

If docker server and docker client communicate based on the trust created by digital certificate I hope the security concern is less. On this case only certified trusted client can talk with daemon. Still there is some risk which is also existed if I use the method docker offers because any kind of attack can be performed from trusted network or trusted device. Isn’t it?