Docs: articles/https minor amendments and update
This commit proposes some minor amendments and updates for the articles/https.md document to fix certain errors, inc.: - Marking commands / flags as code (e.g. `tlsverify`) [done before rebase] - Capitalising the word Docker - Normalizing headers to match the rest of the docs; - Expanding the page description to match the page title and the content; - Capitalizing HTTPS etc.; - Some spelling error fixes; - Line-length adjustments to make it easier to read the raw file. It does not propose any fundemental changes to the structure of the document. Certain changes were based before another update on this doc. Docker-DCO-1.1-Signed-off-by: O.S. Tezer <ostezer@gmail.com> (github: ostezer)
This commit is contained in:
O.S. Tezer
parent
403df1765a
commit
711fb3e19d
|
|
@ -1,6 +1,6 @@
|
|||
page_title: Docker HTTPS Setup
|
||||
page_description: How to set Docker up with https
|
||||
page_keywords: docker, example, https, daemon
|
||||
page_title: Running Docker with HTTPS
|
||||
page_description: How to setup and run Docker with HTTPS
|
||||
page_keywords: docker, docs, article, example, https, daemon, tls, ca, certificate
|
||||
|
||||
# Running Docker with https
|
||||
|
||||
|
|
@ -11,9 +11,9 @@ If you need Docker to be reachable via the network in a safe manner, you can
|
|||
enable TLS by specifying the `tlsverify` flag and pointing Docker's
|
||||
`tlscacert` flag to a trusted CA certificate.
|
||||
|
||||
In daemon mode, it will only allow connections from clients
|
||||
authenticated by a certificate signed by that CA. In client mode, it
|
||||
will only connect to servers with a certificate signed by that CA.
|
||||
In the daemon mode, it will only allow connections from clients
|
||||
authenticated by a certificate signed by that CA. In the client mode,
|
||||
it will only connect to servers with a certificate signed by that CA.
|
||||
|
||||
> **Warning**:
|
||||
> Using TLS and managing a CA is an advanced topic. Please familiarize yourself
|
||||
|
|
@ -82,24 +82,24 @@ need to provide your client keys, certificates and trusted CA:
|
|||
> Docker over TLS should run on TCP port 2376.
|
||||
|
||||
> **Warning**:
|
||||
> As shown in the example above, you don't have to run the `docker` client
|
||||
> with `sudo` or the `docker` group when you use certificate
|
||||
> authentication. That means anyone with the keys can give any
|
||||
> instructions to your Docker daemon, giving them root access to the
|
||||
> machine hosting the daemon. Guard these keys as you would a root
|
||||
> password!
|
||||
> As shown in the example above, you don't have to run the `docker` client
|
||||
> with `sudo` or the `docker` group when you use certificate authentication.
|
||||
> That means anyone with the keys can give any instructions to your Docker
|
||||
> daemon, giving them root access to the machine hosting the daemon. Guard
|
||||
> these keys as you would a root password!
|
||||
|
||||
## Secure By Default
|
||||
## Secure by default
|
||||
|
||||
If you want to secure your Docker client connections by default, you can move the files
|
||||
to the `.docker` directory in your home directory. Set the `DOCKER_HOST` variable as well.
|
||||
If you want to secure your Docker client connections by default, you can move
|
||||
the files to the `.docker` directory in your home directory - and set the
|
||||
`DOCKER_HOST` variable as well.
|
||||
|
||||
$ cp ca.pem ~/.docker/ca.pem
|
||||
$ cp client-cert.pem ~/.docker/cert.pem
|
||||
$ cp client-key.pem ~/.docker/key.pem
|
||||
$ export DOCKER_HOST=tcp://:2376
|
||||
|
||||
Then you can just run docker with the `--tlsverify` option.
|
||||
Then you can just run Docker with the `--tlsverify` option.
|
||||
|
||||
$ docker --tlsverify ps
|
||||
|
||||
|
|
@ -122,10 +122,10 @@ Docker in various other modes by mixing the flags.
|
|||
- `tlsverify`, `tlscacert`, `tlscert`, `tlskey`: Authenticate with client
|
||||
certificate and authenticate server based on given CA
|
||||
|
||||
The client will send its client certificate if found, so you just need
|
||||
to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively, if you
|
||||
want to store your keys in another location, you can specify that location
|
||||
using the environment variable `DOCKER_CONFIG`.
|
||||
If found, the client will send its client certificate, so you just need
|
||||
to drop your keys into `~/.docker/<ca, cert or key>.pem`. Alternatively,
|
||||
if you want to store your keys in another location, you can specify that
|
||||
location using the environment variable `DOCKER_CONFIG`.
|
||||
|
||||
$ export DOCKER_CONFIG=${HOME}/.dockers/zone1/
|
||||
$ docker --tlsverify ps
|
||||
|
|
|
|||
Loading…
Reference in New Issue