Configure Docker for TLS

Learn to configure Docker daemon and Docker client for TLS.

Docker has two TLS modes:

  • Daemon mode
  • Client mode

Daemon mode forces the daemon to only allow connections from clients with a valid certificate. Client mode tells the client only to connect with daemons that have a valid certificate.

We’ll configure the daemon process on node1 for daemon mode and test it. After that, we’ll configure the client process on node2 for client mode and test that.

⚠️ Due to the platform’s security concerns, we will be unable to provide an execution environment for this lesson. You may test the commands on your local machine.

Configuring the Docker daemon for TLS

Securing the daemon is as simple as setting a few daemon flags in the daemon.json configuration file:

  • tlsverify enables TLS verification.
  • tlscacert tells the daemon which CA to trust.
  • tlscert tells Docker where the daemon’s certificate is located.
  • tlskey tells Docker where the daemon’s private key is located.
  • hosts tells Docker which sockets to bind the daemon on.

We’ll configure these in the platform-independent daemon.json configuration file. This is found in /etc/docker/ on Linux and C:\ProgramData\Docker\config\ on Windows.

Perform all of the following operations on the node that will run your secure Docker daemon (node3 in the example lab).

Edit the daemon.json file, and add the following lines. It assumes a user called ubuntu, but yours may be different.

Get hands-on with 1000+ tech skills courses.