Out of the box docker uses a local socket file for communication with the daemon. In some cases you may not have access to this file for various reasons such as permissions or logistics.
In this exercise we will discuss how to enable and expose the HTTP REST API to communicate with your docker service(s).
Enabling HTTP (without TLS)
Edit the file /etc/docker/daemon.json
and ensure that it has at least the following contents:
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://127.0.0.1:2375"
]
}
Now youโre ready to restart dockerd
with a sudo systemctl restart docker
.
Enabling HTTP with TLS
Generate your CA Private Key:
openssl genrsa -aes256 -out ca-key.pem 4096
Generate your CA Public Key:
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Generate a server certificate and Certificate Signing Request (CSR):
openssl genrsa -out server-key.pem 4096 openssl req -subj "/CN=somedomain.com" -sha256 -new -key server-key.pem -out server.csr
Now, generate the signed certificate that will be distributed to those who may call the HTTP API over TLS:
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Finally, update your /etc/docker/daemon.json
to at least match:
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://127.0.0.1:2375"
],
"tlscacert": "/etc/docker/certs/ca.pem",
"tlscert": "/etc/docker/certs/server-cert.pem",
"tlskey": "/etc/docker/certs/server-key.pem",
"tlsverify": true
}
Now youโre ready to restart dockerd
with a sudo systemctl restart docker
.