Protect the Docker daemon socket (Engine)
Protect the Docker daemon socket
By default, Docker runs via a non-networked Unix socket. It can also optionally communicate using an HTTP socket.
If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify
flag and pointing Docker’s tlscacert
flag to a trusted CA certificate.
In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.
Warning: Using TLS and managing a CA is an advanced topic. Please familiarize yourself with OpenSSL, x509 and TLS before using it in production.
Warning: These TLS commands will only generate a working set of certificates on Linux. Mac OS X comes with a version of OpenSSL that is incompatible with the certific