The docker cli tool provides two options for tls auth: --tls
and --tlsverify
.
What's the difference between these two options?
I've set up my remote docker daemon to use some TLS certs I've made using openssl. I'm able to connect to the daemon using the --tls
flag but not using the --tlsverify
Docker supports using TLS certificates (both on the server and the client) to provide proof of identity. When set up correctly it will only allow clients/servers with a certificate signed by a specific CA to talk to eachother.
The proxy automatically detects the Docker daemon's TLS configuration, and attempts to duplicate it. To disable auto-detection of TLS configuration, you can either pass the --no-detect-tls flag, or you can manually configure the proxy's TLS using the same TLS-related command-line flags supplied to the Docker daemon.
Docker is a broad set of technologies that are used to work with containers. containerd is an example of a container runtime. A container runtime is that process that does the actual work of creating, running, and destroying containers.
If you "made" the certificates yourself (i.e., self-signed), it's unlikely that the certificates can be verified. Using the --tls
option simply instructs Docker to use the certificates as-is without verifying the certificate with root authorities. --tlsverify
requires that the certificate can be verified with a root authority before it is used.
See https://docs.docker.com/engine/security/https/ for more details, specifically (emphasis mine):
If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.
In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.
In other words, the behavior you're experiencing is less of a Docker problem and more of a certificate problem.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With