Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

docker --tls vs --tlsverify

Tags:

docker

ssl

The docker cli tool provides two options for tls auth: --tls and --tlsverify.

What's the difference between these two options?

I've set up my remote docker daemon to use some TLS certs I've made using openssl. I'm able to connect to the daemon using the --tls flag but not using the --tlsverify

like image 625
bhurlow Avatar asked Mar 23 '16 19:03

bhurlow


People also ask

What is Docker TLS?

Docker supports using TLS certificates (both on the server and the client) to provide proof of identity. When set up correctly it will only allow clients/servers with a certificate signed by a specific CA to talk to eachother.

How do I disable Docker TLS?

The proxy automatically detects the Docker daemon's TLS configuration, and attempts to duplicate it. To disable auto-detection of TLS configuration, you can either pass the --no-detect-tls flag, or you can manually configure the proxy's TLS using the same TLS-related command-line flags supplied to the Docker daemon.

What is the difference between Docker and Dockerd?

Docker is a broad set of technologies that are used to work with containers. containerd is an example of a container runtime. A container runtime is that process that does the actual work of creating, running, and destroying containers.


1 Answers

If you "made" the certificates yourself (i.e., self-signed), it's unlikely that the certificates can be verified. Using the --tls option simply instructs Docker to use the certificates as-is without verifying the certificate with root authorities. --tlsverify requires that the certificate can be verified with a root authority before it is used.

See https://docs.docker.com/engine/security/https/ for more details, specifically (emphasis mine):

If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.

In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.

In other words, the behavior you're experiencing is less of a Docker problem and more of a certificate problem.

like image 182
Aaron Burke Avatar answered Oct 05 '22 03:10

Aaron Burke