Last March, Dimitri did an excellsecure Docker communicationsent series on ‘How to run Containers as a Service’. In part 1, Dimitri describes containers, the
problems of running containers and possible solutions. In part 2, he published a very elaborate guide on how to configure Containers as a Service using vRealize Automation. But when upgrading vRealize Automation to the new 7.3 release this breaks. Investigating this revealed that vRealize Automation 7.3 requires secure Docker communications and the unsecured http option used in part 2 no longer works.

Why?

By default, Docker runs via a non-networked Unix socket. If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate. In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.secure Docker communications

So how do we secure Docker communications?

Generate Certificates on the Photon OS Template

  1. Connect to the Photon OS template via SSH
  2. Start and enable docker using the following commands

  1. Generate self-signed Certificates using the following commands:

Provide the certificate details and Photon template FQDN, when prompted for Common Name input.

  1. Now that we have a CA, you can create a server key and certificate signing request (CSR). Make sure that “Common Name” (i.e., server FQDN or YOUR name) matches the hostname you will use to connect to Docker.

  1. For client authentication, create a client key, a certificate signing request, an extensions config file and sign the private key.

  1. Next, make the Docker daemon only accept connections from clients providing a certificate trusted by the CA and enable certificate validation. Copy your CA certificate, your server certificate, and your client certificate to your Docker client machine.

  1. Open docker file using vi and add the following line to this file.

  1. Incoming traffic on port 2376 is blocked by default so it must be allowed through the firewall. To do this, add the firewall rule and restart the service to make the changes effective.

  1. We’re almost done. The final step is to display and save the contents of the public and private certificate keys.

Copy and paste the certificates into a text file which you will need to use in a later stage.

Verify secure Docker communications

Now the secure Docker communications is setup we need to check if we performed the steps above in a correct manner, we need to verify if the certificate validation if done correctly. We can do this by adding the template to the Containers Tab within vRealize Automation. To do this do the following:

    1. Open your vRA console and go to the Containers tab.
    1. Select [Add a Host].
    1. Provide the Photon OS template URL in the address field (syntax = https://[IP address]:2376).
    1. Enter new credentials using the [New Credentials] option.
    1. Enter the correct credentials and select the [Certificate] option.
    1. Paste the Docker certificates we saved to notepad earlier in the appropriate fields.
    1. Confirm and save the credentials by using the [Verify] button and select [Yes] to confirm the certificate.

secure Docker communications

If you performed the actions correctly you should see a green message ribbon saying: “Verified successfully!

  1. Now that secure Docker communications is verified, shutdown the Photon VM and convert to a vSphere template

 

You can now continue with ‘Create a container host Blueprint and configure Container Placement‘ in part 2 of Dimitri’s series on Containers as a Service.

 


Other articles in the series vRealize Automation: