You've already forked docs
33 lines
1.4 KiB
Markdown
33 lines
1.4 KiB
Markdown
|
# Configuring TLS for the Docker Daemon
|
||
|
|
|
||
|
|
Follow the directions to create a [CSR and signing a certificate](../ca/certificate_signing.md). The key and CSR can be created on the Docker node and the CSR can be provided alone for signing. Once the bundle has been received, extract it to the desired directory. Make sure to extract the path to a secure directory that cannot be read by or written to by every user on the system.
|
||
|
|
|
||
|
|
### Edit the systemd service file (Alternatively systemctl edit docker could be used to edit the service)
|
||
|
|
|
||
|
|
```
|
||
|
|
sudo vim /usr/lib/systemd/system/docker.service
|
||
|
|
```
|
||
|
|
|
||
|
|
### Add the following line and comment out the original ExecStart line
|
||
|
|
|
||
|
|
```
|
||
|
|
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/path/to/ca_or_ca_chain.crt --tlscert=/path/to/server.crt --tlskey=/path/to/server.key
|
||
|
|
```
|
||
|
|
|
||
|
|
### Reload daemons and restart the Docker service
|
||
|
|
|
||
|
|
```
|
||
|
|
sudo systemctl daemon-reload && sudo systemctl restart docker
|
||
|
|
```
|
||
|
|
|
||
|
|
### Test the connection to the Docker daemon from a remote host running the Docker CLI
|
||
|
|
|
||
|
|
```
|
||
|
|
docker --tlsverify \
|
||
|
|
--tlscacert=ca.pem \
|
||
|
|
--tlscert=cert.pem \
|
||
|
|
--tlskey=key.pem \
|
||
|
|
-H=$HOST:2376 version
|
||
|
|
```
|
||
|
|
The replace `tlscacert`, `tlscert`, `tlskey`, and `$HOST` with the certs and keys provided earlier and the FQDN or IP of the Docker host. The command should output the Docker version running on the remote host.
|