Protect Your Docker Socket!

By default, when you install and start Docker on Linux, client access Docker-Engine on local host with unix socket (/var/run/docker.sock), which by default is only accessible by the root user. Exposed REST API with root access to Linux kernel (cgroups, kernel namespaces, etc.)!!!??? No authentication or authorization!!!???

So, how to access Docker-Engine over network (tcp) and how to secure this communication using TLS?

Method nr 1 - The Hard Way

Follow the steps in Protect the Docker daemon socket doc. Deployment and use of TLS/SSL is easy ;-)

Method nr 2 - The Popular Way

Sick of googling every time you need a self signed certificate? Check OMGWTFSSL Cert Generator

Method nr 3 - The Easiest Way (IMHO)

Docker-Machine… It can be used to create Docker host on various platforms locally or in a cloud environment. You can control your Docker hosts with it as well. Docker-Machine also has the option to run everything over TLS. Let’s take a look at how we deploy to a cloud environment of our choosing - Docker host in Scaleway:

docker-machine --native-ssh create \
  --driver generic \
  --generic-ip-address <docker_host_ip> \
  --generic-ssh-user=root \
  --generic-ssh-key=<full_path_to_your_id_rsa> \
  --engine-storage-driver overlay2 \
  <docker_host_name>

Enjoy the magic!