To add a Docker engine and connect to it remotely, we’ll first need to configure the Docker daemon to listen on a TCP port. ClearGLASS supports two ways to connect with a Docker engine:
1) Connecting to TLS enabled Docker engines
2) Connecting to remote Docker API (insecure) , optionally protected with http basic auth
Adding a TLS enabled Docker engine
Many resources can be used to set TLS with Docker, we have found the instructions on https://docs.docker.com/articles/https/ very helpful.
In the Docker TLS case, ClearGLASS supports the scenario where the client authenticates via a client certificate and also the server CA certificate is authenticated:
Authenticate with client certificate and authenticate server based on given CA
This is the equivalent of docker being started with something like
$ docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
In this case we have to provide on ClearGLASS the hostname and port of the Docker server, the private key (key.pem) and certificate file (cert.pem), and the CA certificate file (ca.pem)
Again curl is our friend, if the command works then we are sure we provide the correct credentials.
$ curl https://hostname:2376/images/json --cert cert.pem --key key.pem --cacert ca.pem
While we create the certificates we have to make sure that the “Common Name” (i.e., server FQDN or YOUR name) matches the hostname we use to connect to Docker, otherwise the connection will fail.
Once we add our Docker engine, all the containers will be added to our machines list, neatly tagged as Docker containers to be easily distinguished from the rest of our infrastructure.
Adding a Remote Docker API connection (optionally protected with http basic auth)
We can configure the Docker daemon to listen on a TCP port and connect to it remotely without TLS.
By default the Docker daemon listens on unix:/var/run/docker.sock, so in order to be able to connect remotely we have to start the Docker server like this:
docker -d -H tcp:0.0.0.0:4243 -H unix:/var/run/docker.sock
or for more recent versions of docker the equivalent command would be
docker daemon -H tcp:0.0.0.0:4243 -H unix:/var/run/docker.sock
Of course this leaves the server open to anyone that can connect to that port. One solution is to apply http basic auth, and password protect our Docker api behind a web server by proxying the port.
First, let’s set up a password file by running:
htpasswd -c /etc/nginx/.htpasswd mist-user
and typing the password. Next, we’ll enable auth to our nginx configuration by adding:
Once we’ve set that up, we can add our Docker engine to ClearGLASS:
All we need is the IP address and port of the Docker engine - and also the http basic auth username and password if we are using basic auth. Don't forget to specify the prefix http or https in front of the ip address/hostname.
In this example we are connecting to an http server that runs on port 4243 and is a proxy in front of our Docker server. The Docker server could run as a unix socket or as a tcp local port, as in this case.
With the Docker engine added, all the containers will be added to our machines list, neatly tagged as Docker containers to be easily distinguished from the rest of our infrastructure.
==== Related Articles ====
* Quick Start Guide
* Managing Infrastructure