ros tls generate
is used to generate both the client and server TLS certificates for Docker.
Remember, all ros
commands need to be used with sudo
or as a root
user.
To have docker secured by TLS you need to set rancher.docker.tls
to true
, and generate a set of server and client keys and certificates:
$ sudo ros config set rancher.docker.tls true
$ sudo ros tls gen --server -H localhost -H <hostname1> -H <hostname2> ... -H <hostnameN>
$ sudo system-docker restart docker
Here, <hostname*>
s are the hostnames that you will be able to use as your docker host names. A <hostname*>
can be a wildcard pattern, e.g. “*.*.*.*.*
”. It is recommended to have localhost
as one of the hostnames, so that you can test docker TLS connectivity locally.
When you’ve done that, all the necessary server certificate and key files have been saved to /etc/docker/tls
directory, and the docker
service has been started with --tlsverify
option.
You also need client cert and key to access Docker via a TCP socket now:
$ sudo ros tls gen
INFO[0000] Out directory (-d, --dir) not specified, using default: /home/rancher/.docker
All the docker client TLS files are in ~/.docker
dir now.
Now you can use your client cert to check if you can access Docker via TCP:
$ docker --tlsverify version
Because all the necessary files are in the ~/.docker
dir, you don’t need to specify them using --tlscacert
--tlscert
and --tlskey
options. You also don’t need -H
to access Docker on localhost.
Copy the files from /home/rancher/.docker
to $HOME/.docker
on your client machine if you need to access Docker on your RancherOS host from there.
On your client machine, set the Docker host and test out if Docker commands work.
$ export DOCKER_HOST=tcp://<hostname>:2376 DOCKER_TLS_VERIFY=1
$ docker ps