CentOS 7, Docker 1.10 and TLS

CentOS 7, Docker 1.10 and TLS

After my three month of absence from work the first thing i had to do on my work environment are ... updates, and as usual not everything worked flawlessly afterwards. One thing that broke was my docker service on my virtual testing sandbox based on CentOS7 as a VMWare Guest. This is the Story of rebuilding the Docker structure after completely removing the old installation.

removing the official EL7 packages

since i could not bring the docker version of the official EL7 package repository to life the only choice i had was removing the official package and install the packages from the docker-maintained repository.

$ yum remove docker docker-selinux docker-registry docker-io

after that i removed the old configuration files from /etc/sysconfig/docker* and the data folder /var/lib/docker

Since i used TLS to connect to the docker daemon from a remote host i had to be aware that im not accidently deleting my ssl-infrastructure.

adding docker-maintained package repository

To add the docker repository i had to add the following content to a file called /etc/yum.repos.d/docker.repo:

name=Docker Repository

After that i could install the new docker package with

$ yum install docker-engine

To enable the docker-service at startup the following command is necessary

$ systemctl enable docker.service

enabling tls-verify

There are no configuration files when dockers package-repository is used. To enable TLS and specify the appropriate files i had to create a new systemd-config which is considered at service startup. this file is saved under /etc/systemd/system/docker.service.d/docker.conf and has the following content

ExecStart=/usr/bin/docker daemon --selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem --host=tcp:// --host=unix://var/run/docker.sock

This changes the start command and adds several parameters to enable TLS and TCP for communicating via network.

adding custom images

To add my custom images without building them on the host or publishing them to a public image-repository i can now use the command as follows:

$ docker save my/custom-image | \
    docker --tlsverify \
           --tlscacert=/path/to/cacert.pem \
           --tlscert=/path/to/client/cert.pem \
           --tlskey=/path/to/client/key.pem \
           --host=tcp://docker.host:2376 \