Configure Docker for TLS
Docker has two TLS modes:
- Daemon mode
- Client mode
Daemon mode forces the daemon to only allow connections from clients with a valid certificate. Client mode tells the client only to connect with daemons that have a valid certificate.
We’ll configure the daemon process on
node1 for daemon mode and test it. After that, we’ll configure the client process on
node2 for client mode and test that.
⚠️ Due to the platform’s security concerns, we will be unable to provide an execution environment for this lesson. You may test the commands on your local machine.
Configuring the Docker daemon for TLS
Securing the daemon is as simple as setting a few daemon flags in the
daemon.json configuration file:
tlsverifyenables TLS verification.
tlscacerttells the daemon which CA to trust.
tlscerttells Docker where the daemon’s certificate is located.
tlskeytells Docker where the daemon’s private key is located.
hoststells Docker which sockets to bind the daemon on.
We’ll configure these in the platform-independent
daemon.json configuration file. This is found in
/etc/docker/ on Linux and
C:\ProgramData\Docker\config\ on Windows.
Perform all of the following operations on the node that will run your secure Docker daemon (
node3 in the example lab).
daemon.json file, and add the following lines. It assumes a user called
ubuntu, but yours may be different.