CentOS 7, Docker 1.10 and TLS
After my three month of absence from work the first thing i had to do on my work environment are ... updates, and as usual not everything worked flawlessly afterwards. One thing that broke was my docker service on my virtual testing sandbox based on CentOS7 as a VMWare Guest. This is the Story of rebuilding the Docker structure after completely removing the old installation.
removing the official EL7 packages
since i could not bring the docker version of the official EL7 package repository to life the only choice i had was removing the official package and install the packages from the docker-maintained repository.
$ yum remove docker docker-selinux docker-registry docker-io
after that i removed the old configuration files from /etc/sysconfig/docker*
and the data folder /var/lib/docker
Since i used TLS to connect to the docker daemon from a remote host i had to be aware that im not accidently deleting my ssl-infrastructure.
adding docker-maintained package repository
To add the docker repository i had to add the following content to a file called /etc/yum.repos.d/docker.repo
:
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
After that i could install the new docker package with
$ yum install docker-engine
To enable the docker-service at startup the following command is necessary
$ systemctl enable docker.service
enabling tls-verify
There are no configuration files when dockers package-repository is used. To enable TLS and specify the appropriate files i had to create a new systemd-config which is considered at service startup. this file is saved under /etc/systemd/system/docker.service.d/docker.conf
and has the following content
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon --selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem --host=tcp://0.0.0.0:2376 --host=unix://var/run/docker.sock
This changes the start command and adds several parameters to enable TLS and TCP for communicating via network.
adding custom images
To add my custom images without building them on the host or publishing them to a public image-repository i can now use the command as follows:
$ docker save my/custom-image | \
docker --tlsverify \
--tlscacert=/path/to/cacert.pem \
--tlscert=/path/to/client/cert.pem \
--tlskey=/path/to/client/key.pem \
--host=tcp://docker.host:2376 \
load