Use driver 'none' machines under docker-machine without fake server keys #1233
Comments
|
To clarify some confusion I introduced in a comment on #1229 - I want more control over how the certificates are user by docker-machine. I think docker-machine is not yet classed as "Production Ready", e.g. on vsphere it uses a boot2docker iso, which is specifically called out to be not good enough in the recent security standards (https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). Also CA and certificate creation is a bit rough & ready - one CA/server/client cert is made per call to docker-machine create, and no way I can see to use pre-made CA's/certs. Hence I am looking to create docker hosts like we do other Linux severs, and secure them according to docker & other best practices with TLS, but also to exist & be switchable in the docker-machine host list. Would prefer SSH to host be optional. |
|
Thanks for the feedback! You can use an existing CA certificate / key with the Thanks! |
|
I'm sorry @ehazlett but your answer doesn't make much sense. To connect to an existing docker host over tcp this is the stuff needed: A client certificate + private key. That's all that should be needed. I can of course set this up without using docker-machine, and maybe it's not a scenario you wish to support, which would be fine. But it would be convenient if I could put this in docker-machine with |
|
@ehazlett I think this should be reopened because it's no longer possible to use |
|
I've decided for discussion on |
Update aufs-util to an appropriately newer version (and compilation to use the proper build flags)
I'm trying to package up a docker & docker-machine install for others in our (primarily Windows) organisation, and hoped to just include the "ca.pem" that our server keys were signed with, and arrange for a personal cert & private key from a CA trusted by the server to get access. I.e. for the config.json below to work:
{ "DriverName": "none", "Driver": { "URL": "tcp://my-ip-address:2376" }, "StorePath": "C:\\Users\\username\\.docker\\machine\\machines\\host1", "HostOptions": { "Driver": "", "Memory": 0, "Disk": 0, "EngineOptions": { "Dns": null, "GraphDir": "", "Ipv6": false, "Labels": null, "LogLevel": "", "StorageDriver": "", "SelinuxEnabled": false, "TlsCaCert": "", "TlsCert": "", "TlsKey": "", "TlsVerify": false, "RegistryMirror": null }, "AuthOptions": { "CaCertPath": "C:\\Users\\username\\.docker\\machine\\machines\\host1\\ca.pem", "ClientKeyPath": "C:\\Users\\username\\.docker\\machine\\machines\\host1\\key.pem", "ClientCertPath": "C:\\Users\\username\\.docker\\machine\\machines\\host1\\cert.pem" } }, "SwarmHost": "", "SwarmMaster": false, "SwarmDiscovery": "", "CaCertPath": "", "PrivateKeyPath": "", "ServerCertPath": "", "ServerKeyPath": "", "ClientCertPath": "", "ClientKeyPath": "" }Unfortunately docker-machine barfs at this as it still tries to read in & validate the missing server.pem and server-key.pem files - but why would we want server secrets at the client? I can work around this by supplying dummy server key details but this seems messy.
I also know this isn't necessary if I go straight to docker & the three env vars "docker-machine env" sets, but would like to occaisonally switch from using an internal privileged view to the one I'm expecting others to use, and "docker-machine env" is meant to allow this easily, no?
This is related to #1123 - but that wants to retain user access to SSH into the host, which I don't see is necessary. With fake server keys I think docker-machine env is still SSH'ing in as a os-type/liveness test - can that be disabled?
The text was updated successfully, but these errors were encountered: