Docker Remote API with TLS client authentication via container

This images makes you publish your Docker Remote API by a container. A client must authenticate with a client-TLS certificate. This is an alternative way, instead of configuring TLS on Docker directly.

Remote Api with external CA, certificates and key

First you need a CA and certs and keys for your Docker server and the client.

Create them as shown here Protect the Docker daemon socket. Or create the files with this script create-certs.sh. Read Create certificate files for information on how to use the script.

Copy the following files in a directory. The directory will me mounted in the container.

ca-cert.pem
server-cert.pem
server-key.pem

The files cert.pem and key.pem are certificate and key for the client. The client will also need the ca-cert.pem.

Create a docker-compose.yml file:

version: "3.4"
services:
  remote-api:
    image: kekru/docker-remote-api-tls:v0.4.0
    ports:
     - 2376:443
    volumes:
     - <local cert dir>:/data/certs:ro
     - /var/run/docker.sock:/var/run/docker.sock:ro

Now run the container with docker-compose up -d or docker stack deploy --compose-file=docker-compose.yml remoteapi. Your Docker Remote API is available on port 2376 via https. The client needs to authenticate via cert.pem and key.pem.

Remote Api with auto generating CA, certificates and keys

The docker-remote-api image can generate CA, certificates and keys for you automatically. Create a docker-compose.yml file, specifying a password and the hostname, on which the remote api will be accessible later on. The hostname will be written to the server's certificate.

version: "3.4"
services:
  remote-api:
    image: kekru/docker-remote-api-tls:v0.4.0
    ports:
     - 2376:443
    environment:
     - CREATE_CERTS_WITH_PW=supersecret
     - CERT_HOSTNAME=remote-api.example.com
    volumes:
     - <local cert dir>:/data/certs
     - /var/run/docker.sock:/var/run/docker.sock:ro

Now run the container with docker-compose up -d or docker stack deploy --compose-file=docker-compose.yml remoteapi. Certificates will be created in <local cert dir>. You will find the client-certs in <local cert dir>/client/. The files are ca.pem, cert.pem and key.pem.

Environment variables

CREATE_CERTS_WITH_PW

Passphrase to encrypt the certificate.

CERTS_PASSWORD_FILE

Certificate passphrase will be read from this docker secret. Absolute path of the secret file has to be provided i.e. CERTS_PASSWORD_FILE=/run/secrets/<secret_name>.

If both passphrase and secret file are set, the secret file takes precedence.

CERT_EXPIRATION_DAYS

Certificate expiration for server and client certs in days. If not set, the default value 365 is applied.

CA_EXPIRATION_DAYS

Certificate expiration for CA in days. If not set, the default value 900 is applied.

CERT_HOSTNAME

Domain name of the docker server.
If you don't have a DNS name, you can use nip.io to get a name for any IP.

Setup client

See Run commands on remote Docker host for instructions how to setup a client to communicate with the remote api.

You can also reuse dockerRemote and set url and path in it to your correct values.
Then just run ./dockerRemote ps to call ps against your remote api.

Quick test

To test this repo quickly, clone this repo, then run

# Start remote-api locally
docker-compose up -d
# Run ps over remote api (use GitBash when you are on Windows)
./dockerRemote ps

Changelog

v0.2.0

First stable release
Thanks @smiller171 for contributing!

v0.3.0

• update nginx version
• add configuration for cert expiration
• add configuration to use swarm secret as password for cert generation
• add automatic tests

Thanks @benkorichard for contributing!

v0.4.0

• update nginx version to 1.20.2