Talk to docker over HTTP REST

Out of the box docker uses a local socket file for communication with the daemon. In some cases you may not have access to this file for various reasons such as permissions or logistics.

In this exercise we will discuss how to enable and expose the HTTP REST API to communicate with your docker service(s).

Enabling HTTP (without TLS)

Edit the file /etc/docker/daemon.json and ensure that it has at least the following contents:

{
    "hosts": [
        "unix:///var/run/docker.sock", 
        "tcp://127.0.0.1:2375"
    ]
}

Now you’re ready to restart dockerd with a sudo systemctl restart docker.

Enabling HTTP with TLS

Generate your CA Private Key:

 openssl genrsa -aes256 -out ca-key.pem 4096

Generate your CA Public Key:

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Generate a server certificate and Certificate Signing Request (CSR):

openssl genrsa -out server-key.pem 4096  openssl req -subj "/CN=somedomain.com" -sha256 -new -key server-key.pem -out server.csr

Now, generate the signed certificate that will be distributed to those who may call the HTTP API over TLS:

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

Finally, update your /etc/docker/daemon.json to at least match:

{
  "hosts": [
    "unix:///var/run/docker.sock", 
    "tcp://127.0.0.1:2375"
  ],
  "tlscacert": "/etc/docker/certs/ca.pem",
  "tlscert": "/etc/docker/certs/server-cert.pem",
  "tlskey": "/etc/docker/certs/server-key.pem",
  "tlsverify": true
}

Now you’re ready to restart dockerd with a sudo systemctl restart docker.