Title: How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
1(No Transcript)
2How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Shipyard is a management tool for Docker servers.
- Docker is a cutting-edge piece of software used
for containerization. - Shipyard allows you to see which containers each
of your servers are running, in order to start or
stop existing containers or create new ones. - Once youve set up Shipyard on your server you
can access it using a graphic interface, a
command-line interface, or an API. - Shipyard lacks some of the advanced features of
other Docker orchestration tools, but its very
simple to set up, free to use, and you can manage
and host it yourself. - It also lets you manage resource allocation to
specific containers and manage containers across
multiple Docker hosts. - However, its important to ensure that your
Docker server and Shipyard system are secure,
especially if they are being used in production.
3How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- In this article, we are going to show you
Shipyard 2.0.10 installation setup on a single
CoreOS server and securing Docker with a TLS
certificate to ensure that only authorized
clients may connect to it - TLS Stands for Transport Layer Security which is
used to encrypt data as it is transported from
the client to the server and back again. - Here, well use it to encrypt our connection to
the Docker host, and Dockers connection to
Shipyard.
4How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Prerequisites
- In order to setup shipyard 2.0.10 with TLS on
CoreOS, we need to make sure that following
prerequisites are complete. - First of all setup one CoreOS Droplet with at
least 1 GB or more recommended RAM and choose the
latest stable version of CoreOS. - Login to your server using SSH-key as all CoreOS
servers require an SSH key, then setup a fully
qualified domain name (FQDN) or subdomain for
your Docker host. - Now lets start with setting up Docker to use
certificates for authentication.
5How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Creating the Server Certificate
- CoreOS comes with OpenSSL, a utility that can be
used to generate and sign certificates. - Lets create a Certificate Authority that we can
use to sign server and client certificates. - First, create and move to a directory called
dockertls, so its easy to remember where the
files are. -
- mkdir /dockertls cd /dockertls
6How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Then create an RSA private key using below
command which will prompt you to create a
passphrase for your key. - openssl genrsa -aes256 -out private-key.pem
4096 - Here in this command genrsa will generate a
private RSA private key. -out private-key.pem spec
ifies the name of the file we want to generate,
which is private-key.pem and the last
bit, 4096, is the length of the key in bits. - Its recommended to keep this at a high number
like 4096. - Next, generate a new certificate and sign it with
the private key we just created. Youll need to
enter the same passphrase you chose when creating
the key. - openssl req -new -x509 -sha512 -days 365 -key
private-key.pem -out myca.pem
7How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Here OpenSSL will also ask for some required
information, like the FQDN of your server and the
county your organization is based out of. Lets
try to answer these questions as accurately as
possible. This is the last step in creating our
self-signed Certificate Authority, or CA as shown
below.
8How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- After creating CA, we will create some server
certificates for use with the Docker daemon. - The following two commands generate a signing
request but sure to replace test.com with the
domain or subdomain of your own you using for
Docker. - openssl genrsa -out docker-1-key.pem 4096
openssl req -subj "/CNexample.com" -sha512 -new
-key docker-1-key.pem -out docker.csr - Finally, sign with the CAs private key. Youll
need to enter the key passphrase again. - openssl x509 -req -days 365 -sha256 -in
docker.csr -CA myca.pem -CAkey private-key.pem
-CAcreateserial -out final-server-cert.pem - This will create a file in the current directory
called final-server-cert.pem, which is the server
certificate that will be used on the Docker host.
9How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
10How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- 2) Creating the Client Certificate
- After creating server certificate, we need to
create a client certificate. - This will be used whenever we try to connect to
the Docker host. - It will verify that the client connection has
actually been verified and signed by our personal
CA. - Therefore, only authorized clients will be
allowed to connect and send commands to Docker. - First, create another signing request for the
client using below commands. - openssl genrsa -out client-key.pem 4096
openssl req -subj '/CNclient' -new -key
client-key.pem -out docker-client.csr
11How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- We need to create a config file which specifies
that the resulting certificate can actually be
used for client authentication. - echo extendedKeyUsage clientAuth gt
client.cnf - The will creates a file called 'client.cnf' with
the content extendedKeyUsage clientAuth without
needing to use a text editor. - Next, sign the client with the CA key.
- openssl x509 -req -days 365 -sha512 -in
docker-client.csr -CA myca.pem -CAkey
private-key.pem - CAcreateserial -out client.pem
-extfile client.cnf Signature ok
subject/CNclient Getting CA Private Key
Enter pass phrase for private-key.pem - Now we have a CA, a server certificate, and a
client certificate setup lets move to the next
step.
12How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- 3) Configuring Docker and CoreOS
- In this step, well configure the Docker daemon
to use our certificates by modifying the startup
options for Docker. - CoreOS uses systemd command to manage services.
- Lets start by editing the Docker unit file.
Theres an option for the systemctl command that
will help us by duplicating the actual unit file
instead of modifying the original directly. - Open the Docker unit file for editing using
systemctl as shown. - sudo systemctl edit --full docker
- This will open the file for editing using vim,
find the line that begins with ExecStart/usr/lib/
coreos/dockerd. Append this line with below
config after hostfd// of that line as shown. - ExecStart/usr/lib/coreos/dockerd daemon
--hostfd// --tlsverify --tlscacert/home/core/do
ckertls/myca.pem -- tlscert/home/core/dockertls/f
inal-server-cert.pem --tlskey/home/core/dockertls
/docker-1-key.pem -H0.0.0.02376 DOCKER_OPTS
DOCKER_CGROUPS DOCKER_OPT_BIP DOCKER_OPT_MTU
DOCKER_OPT_IPMASQ
13How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
14How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Here in this configuration --tlsverify simply
turns on TLS verification so that only authorized
clients may connect. - --tlscacert specifies the location of our CAs
certificate. - --tlscert specifies the server certificate
location. - --tlskey specifies the server key location
and -H0.0.0.02376 means that Docker will listen
for connections from anywhere, but it still will
not allow any connections that dont have an
authorized client key or certificate.
15How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Now reload the Docker daemon after saving and
closing the file, so that it will use our new
configuration. - sudo systemctl restart docker sudo
systemctl status docker - Once the docker service is up running, then run
the command below to test our TLS verification. - docker --tlsverify --tlscacertmyca.pem
--tlscertclient.pem --tlskeyclient-key.pem
-Htest.com2376 info - You will get some basic system information about
your Docker host as shown below. - This means you just secured your Docker host with
TLS. - If you get an error, check the logs using
systemctl status docker. - You we can access Docker host from anywhere as
long as we are connecting using a valid
certificate and client key. We can generate and
sign as many client certificates as we want for
use in a cluster.
16How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- 4) Installing Shipyard
- In this step, we will install Shipyard.
- Once you have Docker running, it is quite easy to
install Shipyard because it ships as Docker
images. - All you need to do is pull the images from the
Docker registry and run the necessary containers. - First we will create a data volume container to
hold Shipyards database data. - This container wont do anything by itself it is
a convenient label for the location of all of
Shipyards data. - docker create --name shipyard-rethinkdb-data
shipyard/rethinkdb
17How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Now that the data volume container is created,
this is the database engine Shipyard uses to keep
track of real-time data from Docker. - Now we can launch the database server for
Shipyard and link them together. - docker run -it -d --name shipyard-rethinkdb
--restartalways --volumes-from
shipyard-rethinkdb-data -p 127.0.0.1491538080
-p 127.0.0.14915428015 -p 127.0.0.12901529015
shipyard/rethinkdb - This command also ensures that RethinkDB will
only listen on localhost. This is a good way to
secure this database because it means no one will
be able to access it from outside the server. - Well be using Shipyard version 2.0.10 because
its the easiest to configure with Docker TLS. - The following command will start a new container
that runs Shipyard and links it to the RethinkDB
container, allowing them to communicate. - docker run -it -p 80808080 -d --restartalways
--name shipyard --link shipyard-rethinkdbrethinkd
b shipyard/shipyard2.0.10
18How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
19How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- 5) Accessing Shipyard Web
- Once you have completed your Shipyard setup, open
your web browser to visit http//test.com8080 or
http//your_server_ip8080 to access the Shipyard
control panel. You can log in with the default
username admin and password shipyard.
20How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Shipyard will prompt you to add a new engine to
the cluster. Click the green ADD button.
21How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- You will be presented with some options to fill
with name of the new engine and it keys like
shown below.
22How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Once you have updated the required information
then click on the ADD button at the bottom of the
page. - If everything is configured correctly,
- If you point to the Shipyard dashboard you will
see CPU and RAM stats along with events on its
right side.
23How To Securely Set Up Shipyard 2.0.10 with TLS
on CoreOS
- Conclusion
- Shipyard is up and running with secured TLS on
CoreOS. - You should also be able to configure additional
servers with Docker and connect them to your
Shipyard instance for management. - Youve also learned how to connect to your
Shipyard instance using the GUI, and learned how
to deploy new containers on your Docker host with
secured TLS using the command line as well as
GUI. - It helps you in managing your containers and
cluster of hosts safely and securely. - You can also add a client key and certificate to
your local machine so you can remotely manage
your Docker cluster from anywhere. - Thats all, I hope you have got this article much
helpful. - Feel free to get back to us in case of any issue.