Configure Docker for TLS
Learn to configure Docker daemon and Docker client for TLS.
We'll cover the following
Docker has two TLS modes:
- Daemon mode
- Client mode
Daemon mode forces the daemon to only allow connections from clients with a valid certificate. Client mode tells the client only to connect with daemons that have a valid certificate.
We’ll configure the daemon process on node1
for daemon mode and test it. After that, we’ll configure the client process on node3
for client mode and test that.
⚠️ Due to the platform’s security concerns, we will be unable to provide an execution environment for this lesson. You may test the commands on your local machine.
Configuring the Docker daemon for TLS
Securing the daemon is as simple as setting a few daemon flags in the daemon.json
configuration file:
tlsverify
enables TLS verification.tlscacert
tells the daemon which CA to trust.tlscert
tells Docker where the daemon’s certificate is located.tlskey
tells Docker where the daemon’s private key is located.hosts
tells Docker which sockets to bind the daemon on.
We’ll configure these in the platform-independent daemon.json
configuration file. This is found in /etc/docker/
on Linux and C:\ProgramData\Docker\config\
on Windows.
Perform all of the following operations on the node that will run your secure Docker daemon (node3
in the example lab).
Edit the daemon.json
file, and add the following lines. It assumes a user called ubuntu
, but yours may be different.
Get hands-on with 1200+ tech skills courses.