TLS secured Docker on Ubuntu 16.04 Quickstart
Installing a Vanilla-Docker environment on Ubuntu 16.04 was surprisingly non-straightforward for me. Turns out it would have been actually quite simple, but the docs and tutorials seem to be still assuming 14.04/non-systemd and led me in circles a bit.
The problem is that 16.04 is now based on
systemd and not upstart
anymore, so config files moved around. Previously you would pass docker daemon
/etc/default/docker, this however doesn’t work
anymore. So here is a quick write up on how to set up Docker with
TLS on 16.04 with systemd.
Setting up Docker with TLS on systemd
First a quick edit of the docker systemd service file is necessary. It is
/lib/systemd/system/docker.service. By default it
will launch the docker daemon with a unix socket bound to
however in my opinion it’s nicer to have all config options at a central place,
daemon.json config file that is read by the docker daemon
So first we’ll remove the
-H fd:// flag from the
ExecStart line of the
docker.service file and leave
it plain without flags:
$ cat /lib/systemd/system/docker.service [...] ExecStart=/usr/bin/docker daemon [...]
Next we create the
/etc/docker/daemon.json file and add our settings
As you can see I stored my TLS files in the subdirectory
/etc/docker/ directory. The certificates are usually specific
to a domain name so it makes it more obvious. I bound the daemon to two hosts,
first the default unix socket for nicer docker management on the server itself
and the TLS secured TCP address. I use my domain name for
the same reason stated previously.
And that should be it,
restart your docker service and use
boot it on startup and you should be able to connect:
sudo systemctl daemon-reload sudo systemctl restart docker sudo systemctl enable docker
You could add your server user to the
docker group (the unix socket is owned
by this group), however since I manage docker via TCP I opt not to use it and
run docker via sudo if necessary.
Note: don’t forget to distribute certificates to your clients, and set the
Creating the certificates
This is somewhat beyond the scope of this quick post and I’d like to redirect you to the official docs for that.
A really neat tool I encountered though is this GIST by Adam Stankiewicz that can generate certificates quickly:
$ gem install certificate_authority $ ruby certgen.rb YOUR_DOMAIN
This will generate self signed client and server certificates and store them in
~/.docker folder. Copy the server certificates from
~/.docker/YOUR_DOMAIN to your server and set the proper
$ sudo ls -la /etc/docker/YOUR_DOMAIN/ total 20 dr-------- 2 root root 4096 Jun 6 14:29 . drwx------ 3 root root 4096 Jun 6 15:42 .. -r-------- 1 root root 1151 Jun 6 14:29 ca.pem -r-------- 1 root root 1155 Jun 6 14:29 cert.pem -r-------- 1 root root 1679 Jun 6 14:29 key.pem
Please take note that docker (by default) overrules your UFW firewall rules! I wrote a post on this which you can find here.You have a question or found an issue?
Then head over to Github and open an Issue please!