Docker provides a way to run applications securely isolated in a container, packaged with all its dependencies and libraries.

Docker Install on CentOS 7

#Note: login with root

yum install -y yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo

yum install docker-ce docker-ce-cli

systemctl start docker

systemctl enable docker

docker run hello-world

#Protect the Docker daemon socket:

mkdir -p /etc/docker/tls

cd /etc/docker/tls

#For server authentication:
#Note: Replace all instances of $HOST in the following example with the DNS name of your Docker daemon’s host.

openssl genrsa -aes256 -out ca-key.pem 4096
#Note: the password is required and remember it.

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

openssl genrsa -out server-key.pem 4096

openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = DNS:$HOST,IP:$PUBLIC-IP,IP: >> extfile.cnf

echo extendedKeyUsage = serverAuth >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

#For client authentication, create a client key and certificate signing request:

openssl genrsa -out key.pem 4096

openssl req -subj '/CN=$HOST' -new -key key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile-client.cnf

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

rm -v client.csr server.csr extfile.cnf extfile-client.cnf

chmod -v 0400 ca-key.pem key.pem server-key.pem

chmod -v 0444 ca.pem server-cert.pem cert.pem

#Remove systemctl config:

systemctl stop docker

systemctl disable docker

#Verify docker with TLS :

dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

#Ctrl+C stop dockerd server

#Docker configuring remote access with daemon.json:

mkdir -pv /z-eyes/data/docker-data

cd /etc/docker/

vim daemon.json
#add this text block
    "hosts":["unix:///var/run/docker.sock", "tcp://"],

#Start docker server:



systemctl enable firewalld.service

systemctl start firewalld.service

firewall-cmd --zone=public --add-port=2376/tcp --permanent

firewall-cmd --reload

firewall-cmd --list-port


#Configuring docker client with TLS:

mkdir -pv ~/.docker

cd /etc/docker/tls/

cp -v {ca,cert,key}.pem ~/.docker

vim ~/.bash_profile
    export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1
#for local:export DOCKER_HOST=tcp:// DOCKER_TLS_VERIFY=1

source ~/.bash_profile

#Verify docker with TLS:

docker version

docker ps

#Remote connect by IntelliJ IDEA docker client:

yum install -y lrzsz

sz ~/.docker/{ca,cert,key}.pem

#Open local IntelliJ IDEA

#Note: Engine API URL schema is  'https://'

#The End#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.